Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Remove Cerber 3 Ransomware and Restore .cerber3 Encrypted Files

This article will help you remove .cerber3 file extension virus (Locky ransomware) successfully. Follow the ransomware removal instructions below.

One of the most devastating viruses out there – Cerber ransomware has been released in a 3rd version, adding a .cerber3 file extension to encrypted files and changing the file-names as well, leaving the # HELP DECRYPT #.txt file after encryption. The Cerber ransomware viruses have been notorious for an immensely strong encryption and new versions of them are released as soon as malware researchers discover decryptors for them. Users who have been infected by this virus, should not comply by the ransom note dropped by this virus and not pay any type of ransom money to the cyber-criminals and not comply to any instructions in the ransom note of the virus. Instead, we advise you to follow this article, because we will update it with more information about Cerber ransomware’s 3rd version, how to remove it and alternative methods to try and restore your files.

Threat Summary


Cerber 3

Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” and a sound message all linking to a web page and a decryptor. Changed file names and the file-extension cerber3 has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Cerber 3


Malware Removal Tool

User ExperienceJoin our forum to Discuss Cerber 3 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cerber 3 Virus – How Does It Infect

Similar to the other Cerber(Cerber Version 2) viruses, this ransomware does not limit itself to a simple executable that infects the user. Instead, it is a whole operation that is created to synchronize a variety of infection and spamming technologies and techniques into one big and successful operation, called Cerber ransomware. This includes several different tools that are being used to infect users with the virus:

  • Malware obfuscators to hide Cerber 3 ransomware’s files from any real-time protections and firewalls.
  • File joiners that may conceal the payload dropper of the virus by combining them with legitimate files, like Microsoft Office documents that have malicious macros, for instance.
  • Exploit Kits which may be used for a successful download of the directly by connecting to the command and control server of the cyber-criminals from the infected machine itself.
  • Malicious JavaScript (.js) files disguised as legitimate files that may cause the infection. Themselves.

Such tools may be used in combinatain with spamming bots or spamming services that may spread the malicious files belonging to Cerber 3 ransowmare via several different methods, mainly in the form of uploads on malicious URLs or as e-mail attachments.

Below is an example of a spam e-mail, the malicious URLs of which may lead to a browser redirect that could cause a drive-by download infection with Cerber ransomware:


Cerber Ransowmare – In-Depth Information

As soon as it has been dropped on the computer, Cerber 3 may be dropped on key Windows folders with files that have different names. Several directories it may exist in are the following Windows targeted locations:


Along with CryptoWall and Locky ransomware, Cerber may also modify the registry entries of infected computers, to make the malicious executable that may be different type of file (.tmp, .dll, .js, .exe) run when Windows boots up and encrypt a wide variety of files even before the antivrus program of the computer has started. The registry entries to make it run on system startup are the following keys in Windows Registry Editor:

HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \Run
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunOnce
HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \RunOnce HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Run

As soon as Cerber 3 ransomware’s encryption, begins the user is doomed. The virus may immediately scan for a wide variety of file types and encrypt them as soon as it detects them:

→ .1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx, .asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho, .gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_, .ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx,.ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip

Cerber ransomware may not only encrypt almost any file on your computer beside the files essential to run Windows, but the virus may also change the names of the files as well. Files encrypted by Cerber 3 ransomware do not only have the .cerber3 file extension but they also have completely random names, preventing them from being identified. A tweetpost by the malware researcher PhysicalDrive0 indicates how the files look after encryption by Cerber 3 ransomware:


To encipher the files, the 3rd variant of this virus may use RSA or AES encryption algorithms and the virus may even use the so-called Cipher Block Chaining(CBC) mode which protects the encrypted files by permanently breaking them if you try to tamper with their code structure (decrypt them, for example).

After encrypting the files, Cerber 3 ransomware drops a ransom note, named # HELP DECRYPT #.txt that is primarily focused on notifying the user his situation is very dire.

Another variant of Cerber 3 employs a different ransom note, known as @___readme___@.txt:


Contents of the @___readme___@.txt note.

The ransom note may be located on every folder containing encrypted files or on the desktop and even on the %Startup% folder so that it opens every time Windows runs.

Furthermore, after the encryption and notification process is complete, Cerber ransomware may generate a unique decryption key which it sends to the cyber-criminals’ command and control servers. After this procedure is done, the malicious files of Cerber ransomware may be deleted to avoid any researchers from peeking into the virus.

The ransom instructions of the virus may lead to a Tor-based web page, similar to the following:


Cerber 3 Ransomware – Conclusion, Removal and File Restoration

The appearance of the 3rd version of this virus is a good indicator that it may either be a part of a large-scale ransomware operation that is well-organized or be sold by an organization as a service (RaaS). Either way, this is one of the biggest viruses out there and researchers strongly advise to immediately remove it and not pay any ransom money demanded.

To remove Cerber 3 ransowmare’s associated files, registry objects and other settings related to it, in case it is still residing on your computer, we advise following the step-by-step instructions below. They are designed so that they help in the best way possible to get rid of the virus methodologically. The most effective and fastest solution for complete removal of Cerber 3 ransowmare still remains to be the usage of an advanced anti-malware program. It will not only delete all associated files safely, but will also protect your computer in the future as well.

To try and restore files encoded by Cerber 3 ransomware, we strongly advise you to make sure that Cerber ransomware is fully deleted from your computer and then attempt using the file-restoration methods provided in step “3. Restore files encrypted by Cerber 3” below. They may not be 100% successful but, these methods are a good temporary solution until malware researchers release a decryptor. As soon as a decryptor has been released for this virus, we will update this article, so we advise you to check on it regularly.

Manually delete Cerber 3 from your computer

Note! Substantial notification about the Cerber 3 threat: Manual removal of Cerber 3 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Cerber 3 files and objects.
2. Find malicious files created by Cerber 3 on your PC.
3. Fix registry entries created by Cerber 3 on your PC.

Automatically remove Cerber 3 by downloading an advanced anti-malware program

1. Remove Cerber 3 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Cerber 3 in the future
3. Restore files encrypted by Cerber 3
Optional: Using Alternative Anti-Malware Tools

How to Find Decryption Key for Files Encrypted By Cerber 3 Ransomware

We have designed to make a tutorial which is as simple as possible to theoretically explain how could you detect your decryption key. Find out how

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.