Cerber Ransomware 5.0 Unleashed – Remove and Restore Files

cerber-5-0-ransomware-sensorstechforum-comMalware researchers have recently detected the notorious Cerber ransomware to reach a new milestone, now calling itself 5.0.0. The new Cerber ransomware is distributed by the updated RIG-V exploit kit, which is regarded as a premium exploit using software for a higher infection rate. Malware researchers feel concerned that unlike the previous Cerber ransomware versions, this one is shaping up to be even more dangerous and more widespread. It has already begun causing infections and anyone who has become an unfortunate victim and has had their files encrypted should not pay any BitCoins to the cyber-criminals behind Cerber 5.0 and read this article to learn more about the virus plus how to remove it and try to recover your files.
Image Source: feelgrafix.com

Threat Summary

Name

Cerber 5.0

TypeRansomware
Short DescriptionCerber 5.0 causes encryption via a strong cipher to the files of the affected machine as well as it’s databases if it has any. Asks for payment in BitCoin for decryption.
SymptomsThe user infected by the 5.0 Cerber version may witness ransom notes and “instructions” as a wallpaper and an .hta file, linking to a web page which is in the Onion(TOR) network. The web page has a decryptor specifically for the infected computer which it offers to sell for BitCoin payoff.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Cerber 5.0

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Cerber 5.0.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cerber 5.0 – What Is New

New RIG-V Exploit Kit Used To Infect

The most impactful modification of all of them in the new Cerber version is the RIG-V exploit kit that is being user with heavier obfuscation than the previously utilized in Cerber v4.1.6 RIG-E (Empire Pack). This exploit kit is reported by researchers at Malware-Traffic-Analysis to be somewhat a “VIP” version of the exploit kits.

It’s new modifications include a unique URL patterns and an increase obfuscation for the landing page which causes the infection. Researchers report that the exploit software uses RC4 encryption algorithm to obfuscate the payload and hence conceal it from any antivirus programs. The exploit kit is currently being used by two large hacking campaigns, belonging to the Afraidgate and pseudoDarkleech. The methodology of this exploit kit is that it may cause an infection via connection to a website that contains an auto-injection script. This is how malware researchers explain the infection process, similar to the one user in Cerber 5.0:

cerber-5-0-rig-v-exploit-kit-infection-process
Source: Malware-Traffic-Analysis

And this compromised website may not only be a malicious URL that may be malvertised on a site or induced by a potentially unwanted program on your computer. It may also be send out as a different type of an HTML file, for example .hta(HTML application), .html, .htm. These types of files are usually posted in spam e-mails like the following Cerber spam message:

“Topic: Suspicious Bank Account Activity
Hello, we at your bank have been informed of a suspicious financial activity on your bank account. Please review the Document Number 3882-124442 from {date} for more information.
Best Regards
{Bank manager fake name}
{copied phone number}
{copied address of a bank office}”

After the user opens the malicious e-mail attachment which may either directly be carrying the exploit kit as an .exe type of file or carrying an HTML file both of which may be in a .ZIP archive, the infection becomes successful.

Cerber 5.0 Ransomware – Post-Infection Activity

After Cerber infects the user, the procedure is standard. It immediately begins inducing a privileged taskkill command in Windows Command Prompt to stop processes of databases. Here are some examples of such commands provided by Windows:

→ taskkill /pid 1230 /pid 1241 /pid 1253
taskkill /f /fi “USERNAME eq NT AUTHORITY\SYSTEM” /im notepad.exe
taskkill /s srvmain /f /im notepad.exe
taskkill /s srvmain /u maindom\hiropln /p [email protected] /fi “IMAGENAME eq note*” /im *
taskkill /s srvmain /u maindom\hiropln /fi “USERNAME ne NT*” /im *
taskkill /f /fi “PID ge 1000” /im *

These commands may allow Cerber 5.0 to stop MySQL, Oracle and Microsoft Access databases. In addition to this, the ransomware is also believed to attack the following registry subkeys, creating values with data which allows it to take over some components of Windows that give it permission to fully execute the malware and encrypt the databases plus various files:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography

After the modification is complete, the 5th version of Cerber begins to encrypt files, rendering them with changed file names and file extension to completely random A-Z, 0-9 symbols, looking like the following:

cerber-ransomware-file-encrypted-sensorsrtechforum

Not only the files can no longer be opened, but they are appended an encryption algorithm that produces a unique decryption key which corresponds to the decryptor of the ransomware virus being sold on Cerber’s Tor-based web page, linked in the wallpaper changed by the ransomware to notify the victim:

cerber-5-0-ransomware-wallpaper-sensorstechforum-malware-com

The web page of Cerber 5.0 ransomware is exactly the same as the 4.1.6 and the other older versions of Cerber, giving the possibility to pay approximately 500 dollars and a deadline to do it:

cerber-decryptor-decrypt-1-file-for-free

Cerber 5.0 – Conclusion, Removal and File Decryption or Restoration

As a bottom line, the creators of Cerber ransomware go in parallel timelines as the ones behind Locky ransomware, creating a new variant every time Locky comes up with a new one, suggesting competition or cooperation between the two hacking groups. But we will surely be seeing more and more versions of both the viruses, primarily because of the unimaginably large-scale spamming campaigns posted by the ransomware viruses. Affiliates of a ransomware virus belived to be Locky but undisclosed by authorities were arrested several weeks ago in the UK, suggesting that the actual creators of the ransomware are making money without even having to spread the malware themselves, but working with many cyber-criminals from all over the world to generate a percentage from every ransom paid.

It is strongly advisable to not cooperate with those cyber-criminals and not pay any type of ransom to them. Instead we advise you to immediately remove Cerber 5.0’s virus files from your computer, preferably using the instructions we have posted below. In case you lack the experience in manual removal of malware, we suggest doing this in an automatic manner, by downloading and scanning your computer with an advanced malware removal software.

After having removed Cerber 5.0, we urge you to take advantage of the website of Cerber which offers 1 free file decryption after which create copies of the encrypted files by Cerber so that you can try safely the alternative tools for file restoration we have suggested below. They are not 100% guarantee you will decrypt files but users have reported on our forums that using some of the methods they were able to restore a small portion of the files(10 to 50 files).

Manually delete Cerber 5.0 from your computer

Note! Substantial notification about the Cerber 5.0 threat: Manual removal of Cerber 5.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Cerber 5.0 files and objects
2.Find malicious files created by Cerber 5.0 on your PC

Automatically remove Cerber 5.0 by downloading an advanced anti-malware program

1. Remove Cerber 5.0 with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Cerber 5.0
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • Andrey Savenok

    I just got this virus on my work computer opening an email with a “job applicant” resume attached. I was 50/50 suspecting foul play but still opened it. If i have thousands of work related files that I need decryption, doesn’t it make sense to pay the $500 and cut my losses?

    • Hi Andrey,

      Unfortunately, there is no guarantee that you will get a decryption key. After all, don’t forget that you are dealing with cyber criminals. In addition, ransomware payments monetize infections and further enable criminals. We suggest you invest in data recovery software.

      • Andrey Savenok

        From what I’ve read, there is no recovery software that actually recovers everything. Would the software actually rename all of my files to the proper names and extensions or file formats? And is it automatic? Or would it be a lot of manual work? Which software would you recommend?

        • You are right, no recovery software can recover absolutely everything, but some recover more than others. The software won’t rename your files, but check if their originals have been deleted and recover those. It is automatic, you just have to hit a button to scan, and then choose what to recover from the program’s findings (this could be different for different programs). You could start by trying a free tool like Recuva to see how the software works. Get back to us if you have more questions.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.