.CerBerSysLocked Files Virus – How to Remove and Restore Data
THREAT REMOVAL

.CerBerSysLocked Files Virus – How to Remove and Restore Data

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by CerBerSysLocked and other threats.
Threats such as CerBerSysLocked may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article aims to show you how to remove the CerBerSysLocked ransowmare virus from your computer (Xorist variant) and how to restore files that have been encrypted with the .CerBerSysLocked0009881 file extension added to them.

New variant of the Xorist ransomware family known as CerBerSysLocked malware has been reported to infect the computers of unsuspecting victims after which add the .CerBerSysLocked file extension with random numbers to the files which have been encrypted by this threat. The virus aims to also drop a ransom note file, named HOW TO DECRYPT FILES.txt which has the one and only purpose of trying to convince victims into paying a hefty ransom fee in order to get the encrypted files restored by the cyber-criminals and become openable once more.

Threat Summary

NameCerBerSysLocked
TypeRansomware, Cryptovirus
Short DescriptionA Xorist ransomware variant. Encrypts the files on your computer after which aims to get you to pay a hefty ransom fee in order to get them decrypted once more.
SymptomsAims to encrypt the files on the infected computer, adding the .CerBerSysLocked0009881HOW TO DECRYPT FILES.txt ransom note.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by CerBerSysLocked

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CerBerSysLocked.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.CerBerSysLocked0009881 – How Does It Infect

The primary infection process of .CerBerSysLocked0009881 files virus is conducted via e-mail spam campaigns that may distribute a variety of different spam e-mails accros a lot of users who are deceived into thinking that the e-mails are legitimate and open the malicious infection file that is either uploaded as an attachment or linked on an external website. Here is an example of how such an e-mail may appear:

In addition to via spam e-mails the .CerBerSysLocked0009881 files virus may also be spread via other methods, such as:

  • Via fake software setups.
  • Fake game patches or cracks.
  • Fake License activation software.
  • Key generators.

.CerBerSysLocked0009881 Files Virus – More Information

Once the malicious executable of this ransomware virus is opened on your computer, it may immediately drop the malicious files in the following Windows directories:

  • %AppData%
  • %Temp%
  • %Roaming%
  • %Common%
  • %System32%
  • %Local%
  • %LocalLow%

The files that are dropped by this ransomware are two executables, which have completely random names. In addition to them, the ransomware virus may also attack the Windows Registry sub-keys, that responisble for it’s files to automatically run on system boot. This results in the malware leaving registry entries with the location of the malicious file it wants to run automatically in a value string that is located within the following sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In addition to this, the ransomware may also attack other aspects of the infected computer, such as delete the backed up files or shadow volume copies of the infected computer. This Is done by executing the following commands as an administrator without the user noticing them:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

In addition to this, the malware also drops a ransom note in the face of HOW TO DECRYPT FILES.txt document, which contains the following message:

Problem with your Files ?
Don’t worry! Your files are SAFE!
Files are Backed up by our Service!
You need to buy Cerber Decryptor v5.0 updated 2017-November
Hi, I’am CERBER RANSOMWARE 😉
YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
The only way to decrypt your files is to receive the private key and decryption program.
Contact Email : [email protected]
Subject PRIVATE-ID: CerBerSysLocked0009881
!!! ANY ATTEMPTS TO RESTORE YOUR FILES WITH THE THIRD-PARTY SOFTWARE WILL BE FATAL FOR YOUR FILES. !!!
!!! IF YOU ATTEMPT TO RECOVER YOUR DATA WITH OTHER SOFTWARE THE RANSOMWARE WILL SE THIS ACTION.!!!
!!! AND WILL GENERATE ANOTHER CODE ON THE FILES THAT WILL BE IMPOSSIBLE TO RECOVER THEM BACK.!!!
!!!!!PLEASE NE REZONABLE!!!!!
!!! AND FOLLOW THE INSTRUCTION BY CONTACTING THE EMAIL ADDRESS ABOVE. !!!

CerBerSysLock Ransomware – Encryption Process

The encryption process of the CerBerSysLock ransom virus is conducted via the XOR encryption algorithm. The virus firstly scans for the most commonly used file types on your computer, among which are the following:

  • Images.
  • Audio files.
  • Videos.
  • Documents.
  • Archives.

The CerBerSysLock virus is very careful not to scan for files, located In the %Windows% and %Program Files% directories as they may damage drivers and other key software, which may break your OS. After the files are detected, the CerBerSysLock ransomware applies the encryption process and the files can no longer be opened. They appear similar to the image below:

Remove CerBerSysLock Ransomware and Restore Your Files

If you want to remove this ransomware virus from your computer, we recommend that you follow the removal manual below. It has been divided in manual and automatic removal steps and if you lack the experience in removing CerBerSysLock ransomware manually, security experts often advise to use an advanced anti-malware program in order to remove this malware automatically from your computer system. Having such tool will also protect your computer against future intrusions, like CerBerSysLock ransomware as well.

If you want to restore files that have been encrypted by this ransomware virus, be advised that you should try the alternative methods for recovery in step “2. Restore files encrypted by CerBerSysLock” below to attempt and recover as many encrypted files as possible.

Note! Your computer system may be affected by CerBerSysLocked and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as CerBerSysLocked.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove CerBerSysLocked follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove CerBerSysLocked files and objects
2. Find files created by CerBerSysLocked on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by CerBerSysLocked

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...