Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Cerber 5.0.1 Updated Version Released – Remove and Restore Files

cerber-5-0-1-sensorstechforum-ransowmare-malwareWith the release of yet another version of the notorious Cerber ransomware, malware authors have proven that so far they cannot be stopped. The version of the malware (5.0.1) is detected in parallel with Locky’s latest update using the .zzzzz file extension, suggesting competition between the two ransomware makers. Ransomware attacks have continued to increase and users who have had their files encrypted by such viruses are requested to pay a hefty ransom fee in order to get their files back. Anyone who has been infected by the ransomware should not pay the ransom amount and are advised to immediately focus on reading this article to learn more about this particular ransomware, remove it and restore the files.

Threat Summary

Name

Cerber

TypeRansomware
Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .adk has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Cerber

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Cerber.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cerber 5.0.1 Ransomware – More Information

What is characteristic for the 5.0.1 version of the Cerber virus is that it is not very different in comparison to other updates of Cerber. In fact, the malware may be distributed via the very same RIG-V exploit kit, typical for the 5th version of Cerber.

The new modifications of this RIG EK include changed web links and highly obfuscated infection code in them that allows to cause a successful infection which is unnoticed by any anti-virus software. The new exploit kit which is characterized by the letter V, and outlined by researchers as a “VIP” type of exploit kit is believed to have RC4 encryption for payload obfuscation.

This means that Cerber ransomware may use .hta, .html or .htm files with which it can cause an infection via a spam message sent out to the users, just like it’s older versions did.

But another method of the infection being caused is also via malicious web links uploaded online and sent out as a message on either social media or other places that favor third-party web links.

Not only this, but Cerber ransomware also has the ability to cause an infection via thumb drives and other methods if executed hands on. This is more common when an attack versus an organization is conducted. It is also likely due to the fact that the Cerber 5.0.1 variants I also more focused on encrypting databases besides widely used types of files.

Cerber 5.0.1 – Encryption and Notification

After an infection the 5.0.1 version of Cerber ransomware may stop any actively running processes on the user that are related to:

  • MySQL databases.
  • Oracle databases.
  • Microsoft Access databases.

Not only this but Cerber 5.0.1 may also delete any shadow volume copies or other forms of backup on the compromised computer. This is technically achievable by executing the vssadmin command, for example:

dharma-ransomware-shadow-command-sensorstechforum-3

After this modification n has been completed, the Cerber ransomware begins the encryption process. It may conduct it on system boot while antivirus software has not yet started or it may immediately perform the encryption upon execution. Either way, the following file types may be affected by Cerber:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com

To encrypt the files on the compromised computer, Cerber ransomware uses advanced encryption algorithms. It uses the combination of Advanced Encryption Standard (AES) and Rivest-Shamir Adleman (RSA). This results in the producing of a unique decryption key corresponding specifically for the particular infection and this key is sent to the cyber-criminals’ command and control servers.

After this has been performed, Cerber 5.0.1 performs it’s standard activity – changes the filenames and the file extension of the encrypted files to completely random:

cerber-ransomware-file-encrypted-sensorsrtechforum

After performing this, Cerber 5.0.1 changes the wallpaper with URL’s linking to it’s standard Cerber payment web page:

cerber-ransomware-4-1-6-payment-page-sensorstechforum-com

Cerber 5.0.1 – Conclusion, Removal and File Decryption

As a bottom line, malware researchers strongly advise users not to pay any form of ransom to the cyber-criminals primarily due to the fact that collaborating with them may not get your files back and you support their criminal activities to further update Cerber. In fact, the variant 5.0.1 Is likely not the last Cerber variant we will see, because there will be many more after it, mainly because of the large affiliate network, built up by Cerber’s creators. This rapid changing of versions of the two big ransomware families, Locky being the other one is a headache for malware researchers and many feel concerned that this “trolling” may continue.

Advises if you are infected are to remove on sight and wait for a decryptor and in the meantime try the alternative methods posted below to restore your files.

To remove Cerber 5.0.1, it is advisable to follow the removal instructions below. They are designed for maximum effectiveness. In case you lack the experience in manually removing malware, we also recommend using an advanced anti-malware software to perform the removal automatically.

Manually delete Cerber from your computer

Note! Substantial notification about the Cerber threat: Manual removal of Cerber requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Cerber files and objects
2.Find malicious files created by Cerber on your PC

Automatically remove Cerber by downloading an advanced anti-malware program

1. Remove Cerber with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Cerber
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • Paul Denk

    Dear all,
    all my documents are encrypted by cerber ransomware 5.0.1.
    Files changed to .9775. Does anybody know if there is a file recovery or
    decryption program for this?

    • For now there is no decryption program available. The files that become encrypted are with a different extension for everybody. You can try Data Recovery Programs to see if you can restore some files. Otherwise, just save your data somewhere and wait for a decryptor.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.