Remove Cerber2 Ransomware and Restore .cerber2 Encrypted Files - Como, Tecnologia e Fórum de Segurança PC |

Remove Cerber2 Ransomware and Restore .cerber2 Encrypted Files

-Screen STF-cerber2-ransomware-cerber-cripto-virus-lock-desktop-resgate-nota

Atualizar! According to reports of users the Cerber2 ransomware doesn’t seem to seek for temporary files (.tmp). That makes possible for the recovery of some recent .doc and .xls files by just opening their .tmp counterpart files.

The talking ransomware is back with a bang – malware researchers from TrendMicro got their hands on samples of Cerber2 ransomware and have confirmed that it is the real deal. They have observed an enhancement in the key generation function, so it can be harder for the researchers to decrypt this version. This new variant of Cerber ransomware encrypts a little over than 450 file types and gives five days to victims to pay up. The ransom which is asked initially is 175 US dollars and demanded to be paid in Bitcoins. After exactly five days the price doubles. Carefully read the article to see how to remove the ransomware and possibly decrypt your files.

Resumo ameaça

Pequena descriçãoThe ransomware will encrypt your files and show a ransom note. You are given five days to pay, and after that period the ransom price doubles.
Os sintomasO ransomware irá criptografar arquivos, and change their names with 10 random characters and the .cerber2 extension appended to each of them.
distribuição Métodoexecutáveis, Os e-mails de spam, Redes de compartilhamento de arquivos
Ferramenta de detecção See If Your System Has Been Affected by Cerber2


Remoção de Malware Ferramenta

Experiência de usuárioParticipe do nosso Fórum to Discuss Cerber2.
Ferramenta de recuperação de dadosWindows Data Recovery por Stellar Phoenix Aviso prévio! Este produto verifica seus setores de unidade para recuperar arquivos perdidos e não pode recuperar 100% dos arquivos criptografados, mas apenas alguns deles, dependendo da situação e se você tem ou não reformatado a unidade.

Cerber2 Ransomware – Infection Spread


o Cerber2 ransomware foi manchado no selvagem, spreading through executables, which use the icon of “Anka”. That is a video game character from the game bearing its name, and you can see an example of how the icon could look like, here on the right. The ransomware might spread the executable through spam email campaigns – putting the file as an attachment. Opening attachments of unknown origin or ones that come from suspicious emails is not advised. Social networks and file-sharing services could also have such files inside them, so be wary of what you click, download and open. Exploit Kits could be a possible entry point for the ransomware.

Cerber2 Ransomware – A Closer Look

Cerber2 is the latest variant of Cerber ransomware. That was confirmed by the TrendMicro researcher @panicall who received samples of the malware and had a thorough look at it.

He also found that Cerber2 ransomware has a blacklist for anti-malware programs (listed below) and that the ransomware is now wrapped (and not a bare file) to make it harder to be detected.
The blacklist is as follows:

  • Arcabit
  • Arcavir
  • avast
  • BitDefender
  • Bullguard
  • EmsiSoft
  • ESET
  • eTrust
  • F-Secure
  • G Data
  • Kaspersky Lab
  • LavaSoft
  • TrustPort

Não apenas isso, but the ransomware checks whether certain processes are active, and if they are, it shuts them down:

  • excel.exe
  • infopath.exe
  • msaccess.exe
  • mspub.exe
  • onenote.exe
  • outlook.exe
  • powerpnt.exe
  • steam.exe
  • sqlservr.exe
  • thebat.exe
  • thebat64.exe
  • thunderbird.exe
  • visio.exe
  • winword.exe
  • wordpad.exe

Depois, Cerber2 ransomware encrypts files and places an image as a lock-screen, which is the ransom message. You can see a picture of it here:

-Screen STF-cerber2-ransomware-cerber-cripto-virus-lock-desktop-resgate-nota

The text from the ransom note reads:

seus documentos, fotos, bases de dados, and other important files have been encrypted!
If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.

There is a list of temporary addresses to go on your personal page below:

If you go to any of the consecutive links, you will see these instructions loading in your browser:


Upon loading, the web page initiates the countdown counter of a five-day “promotion”. The price that is asked in the beginning is 0.30 Bitcoins and amounts to 175 dólares norte-americanos. If you go past that date without paying the crooks, your price will be double and amount to 350 dólares norte-americanos. It is not advised to pay cybercriminals – do not pay them, as this will support them and aid their goals and criminal activity further.

Cerber2 ransomware searches files and encrypts more than 450 extensões de arquivo.
You could see all of them right here:


→.1CD, .3dm, .3ds, .3fr, .3g2, .3gp, .3por, .7de, .7fecho eclair, .aac, .AB4, .abd, .acc, .ACCDB, .ACCDE, .accdr, .accdt, .mas, .acr, .Aja, .adb, .adp, .Publicidades, .AGDL, .para, .aiff, .pertencente ao, .ai, .aoi, .APJ, .apk, .ganho dia, .ascx, .asf, .pessoa, .áspide, .aspx, .de ativos, .asx, .atb, .avi, .AWG, .de volta, .cópia de segurança, .backupdb, .atrás, .banco, .baía, .bdb, .BGT, .bik, .caixa, .PKP, .mistura, .bmp, .bpw, .BSA, .c, .dinheiro, .cdb, .cdf, .cdr, .CDR3, .CDR4, .cdr5, .cdr6, .cdrw, .cdx, .CE1, .CE2, .cer, .cfg, .cfn, .cgm, .bolso, .classe, .cls, .cmt, .configuração, .contato, .cpi, .cpp, .CR2, .papo, .crt, .CRW, .cry, .cs, .csh, .CSL, .css, .csv, .d3dbsp, .Dacian, .o, .que, .db, .db_journal, .db3, .dbf, .dbx, .DC2, .dcr, .DCS, .ddd, .doca, .NRW, .dds, .def, .o, .do, .desenhar, .dgc, .com, .esta, .djvu, .DNG, .doutor, .docm, .docx, .ponto, .dotm, .dotx, .DRF, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .computador, .eml, .eps, .erbsql, .erf, .EXF, .fdb, .FfD, .fff, .fh, .FHD, .fla, .flac, .FLB, .FLF, .flv, .flvv, .forja, .FPX, .fxg, .gbr, .gho, .gif, .cinzento, .cinzento, .grupos, .jogo, .h, .hbk, .hdd, .hpp, .html, .iBank, .ibd, .FLR, .idx, .IIF, .IIQ, .incpas, .indd, .informações, .info_, .esta, .iwi, .jarra, .Java, .JNT, .JPE, .jpeg, .jpg, .js, .json, .k2p, .KC2, .kdbx, .kdc, .chave, .kpdx, .história, .laccdb, .lbf, .lck, .ldf, .aceso, .litemod, .litesql, .bloqueio, .registro, .ltx, .tomar, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .mamãe, .mab, .MAPIMAIL, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .médio, .mkv, .mlb, .MMW, .mny, .dinheiro, .MoneyWell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .msf, .msg, .mundo, .nd, .ndd, .NDF, .nef, .NK2, .nop, .NRW, .ns2, .ns3, .ns4, .NSD, .nsf, .NSG, .nsh, .nvram, .NWB, .nx2, .NXL, .nyf, .oab, .obj, .odb, .episódio, .odf, .resposta, .odm, .responder, .ods, .odt, .ogg, .óleo, .AMD, .1, .ORF, .ost, .OTG, .oth, .otp, .ots, .lá, .p12, .P7B, .P7C, .ajuda, .Páginas, .não, .palmadinha, .PBF, .pcd, .pct, .pdb, .PDD, .pdf, .PFE, .estab, .pfx, .php, .bicanca, .pl, .plc, .plus_muhd, .PM!, .PM, .pmi, .pmj, .Pml, .PMM, .PMO, .pmr, .pnc, .pnd, .png, .pnx, .maconha, .potm, .potx, .ppam, .pps, .ppsm, .ppsx,.ppt, .pptm, .PPTX, .prf, .privado, .ps, .psafe3, .psd, .pspimage, .PST, .ptx, .bar, .PWM, .py, .qba, .QBB, .QBM, .QBR, .QBW, .QBX, .QBY, .qcow, .qcow2, .são, .qtb, .r3d, .raf, .rar, .rato, .cru, .RDB, .RE4, .rm, .rtf, .RVT, .RW2, .RWL, .RWZ, .s3db, .seguro, .sas7bdat, .sav, .Salve , .dizer, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .SLM, .sql, .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .SR2, .srb, .SRF, .srs, .srt, .SRW, .ST4, .ST5, .st6, .st7, .ST8, .stc, .std, .sti, .tamanho, .stm, .stw, .STX, .SVG, .swf, .sxc, .SXD, .SXG, .ela, .SXM, .sxw, .imposto, .tbb, .tbk, .TBN, .tex, .tga, .thm, .tif, .arrufo, .pcs, .tlx, .TXT, .UPK, .usr, .vbox, .VDI, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .VPD, .vsd, .wab, .chumaço, .carteira, .guerra, .wav, .WB2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .X3F, .filme, .xla, .xlam, .XLK, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, ..xlw, .xml, .xps, .xxx, .ycbcra, .YUV, .fecho eclair

Extensions source: bleeping Computer

All files will get encrypted with the .cerber2 extensão. além do que, além do mais, the file names are renamed with ten random characters. o Cerber2 ransomware is reported to uses Windows API CryptGenRandom to generate keys. This variant uses 256-bit keys.

It is unknown whether Cerber2 exclusões ransomware As cópias de sombra de volume a partir do sistema operacional Windows, but the possibility is very high.

Remove Cerber2 Ransomware and Restore .cerber2 Files

If your computer got compromised and is infected with the Cerber2 ransomware, you should have some experience with removing malware before dealing with it. You should get rid of the ransomware quickly before it can spread further on the network and encrypt other files. The recommended action for you to take is removing the ransomware completely by following the step-by-step instructions guide written down below.


Berta Bilbao

Berta é um pesquisador de malware dedicado, sonhando para um espaço cibernético mais seguro. Seu fascínio com a segurança de TI começou há alguns anos atrás, quando um malware bloqueado la fora de seu próprio computador.

mais Posts

4 Comentários

  1. AvatarFCantin

    Infelizmente, I can confirm that Cerber2 ransomware deletes Shadow Volume Copies from the Windows operating system. Finalmente, it’s what happened on my PC.

    1. SensorsTechForumSensorsTechForum

      Hi FCantin,

      What actions have you taken so far?

      1. AvatarFCantin

        Em primeiro lugar, I got rid of the ransomware with SpyHunter (enigma Software) and restore my registry with RegHunter (enigma Software). Then I tried, without much success, to restore the encrypted files with: Stellar Phoenix Windows Data Recovery, Recuva, EaseUS Data Recovery and Jihosoft File Recovery… De fato, I was only able to restore a few pictures (maybe 50 fora de 1000 !!!).
        Por outro lado, I have to say that Stellar Phoenix helped me restore some important .doc (Microsoft Word) and .pdf files. Além disso, take note that Cerber2 doesn’t seem to search for Word temporary files (.tmp). So it’s possible to recover some of your recent .doc files by simply opening the .tmp files.
        Em resumo, I’ve lost some important data, but one thing I know for sure, I will not pay the F**KING RANSOM ! They can go f**k themselves ! ;)

        1. SensorsTechForumSensorsTechForum

          Hi FCantin,

          Obrigado pela informação! And don’t forget to backup your data from now on!


Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar