Cerberos Ransomware (Restore Encrypted Files) - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Cerberos Ransomware (Restore Encrypted Files)

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Cerberos and other threats.
Threats such as Cerberos may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article Is created to help remove Cerberos ransomware and restore files encrypted by this infection on your computer.

A ransomware infection known as Cerberos, has been detected by malware researchers to infect via a malicious executable. The virus is a variant of the notorious CyberSplitterVBS ransomware viruses which have been getting more and more variants lately. The ransomware infection uses encryption to render the files on the computers infected by it no longer openable. Then, it drops a ransom note where the user is requested to pay a hefty ransom fee

Threat Summary

Name

Cerberos

TypeRansomware
Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions”, called cerberos linking to contacting the cyber-criminals via e-mail [email protected] Changed file names and the file-extension .sad has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Cerberos

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Cerberos.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cerberos Virus – How Does It Infect

The infection process of Cerberos ransomware uses a malicious file which is detected in VirusTotal as pdf.exe.

The file may be slithered onto the computer of the victims of this virus via different methods:

  • Via fraudulent installers of programs.
  • Via game cracks or patches that pretend to be legitimate.
  • If the victim is redirected via Potentially Unwatned Applications to a malicious web link causing the infection.

The main method by which the Cerberos infection can be spread is via spam messages containing malicious e-mail attachments similar to what the image below displays:

Such e-mail attachments are utilized and portrayed as legitimate documents and the e-mail messages themselves aim to convince victims to open the attachments. Since they are often used in combination with archives which make the process of sending them undetected. To learn how to detect malicious archives, please visit the related article below:

Once the user opens the malicious archive and clicks on the infection file, Cerberos ransomware may drop it’s malicious executable and along it other malicious files on the following Windows directories:

  • %AppData%
  • %Local%
  • %Temp%
  • %Roaming%
  • %LocalRow%
  • %Documents%

Cerberos Virus – Infection Activity

After an infection by Cerberos ransomware is complete, the virus may begin to delete any shadow copies on the infected computer. These shadow volume copies are essentially mirrored copies of the important files on the victim computers. What the virus does is it may execute the following commands in the background via administrative permissions:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

These commands permanently delete the shadow copies without the user noticing.

Another aspect of the malicious activity by Cerberos virus includes using the Windows Registry editor to change system settings. One of those settings is to set the malicious files of this ransomware virus to run automatically when Windows starts up.

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Other malicious activities associated with tis ransomware virus, include the running of false processes that are imitating legitimate Windows hosts, like svchost.exe.

Cerberos Ransomware – Encryption Process

The encryption of Cerberos ransomware virus targets primarily files that are important for the user, for instance:

  • Audio files.
  • Documents.
  • Database files.
  • Videos.
  • Images.

Besides those type of files, Cerberos may be pre-configured to encrypt a specific set of file extensions, carefully avoiding the encryption of files in the critical Windows folders, like %Windows% and %SystemDrive%. Among the file extensions Cerberos ransomware hunts for may be the following:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

After this has completed, the ransomware infection leaves behind a screen with the following message:

Your Files has been infected By cerberos Ransomware and Your Data Is Encrypted
Contact: [email protected]

Remove Cerberos Ransomware and Restore .sad Encrypted Files

Before the removal of Cerberos ransomware we strongly advise you to backup all of the encrypted files which are no longer openable. These files although no longer openable can be used later when free decryptor is available.

Then, for the removal of Cerberos ransomware virus, it is strongly advisable to follow the removal instructions which we have posted down below. They are specifically designed in order to help you firstly isolate Cerberos ransomware and then manually hunt for it’s malicious files. In case manual removal represents difficulties for you, experts always advise using an advanced anti-malware program to help remove the malicious objects by Cerberos completely and effectively and protect your computer against future infections like it.

After the process for removal is complete, to restore your files, we advise following the file recovery methods which we have posted down below in step “2. Restore file encrypted by Cerberos”.

Note! Your computer system may be affected by Cerberos and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Cerberos.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Cerberos follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Cerberos files and objects
2. Find files created by Cerberos on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Cerberos

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...