Remove Cerber 3 Ransomware and Restore .cerber3 Encrypted Files - How to, Technology and PC Security Forum |

Remove Cerber 3 Ransomware and Restore .cerber3 Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will help you remove .cerber3 file extension virus (Locky ransomware) successfully. Follow the ransomware removal instructions below.

One of the most devastating viruses out there – Cerber ransomware has been released in a 3rd version, adding a .cerber3 file extension to encrypted files and changing the file-names as well, leaving the # HELP DECRYPT #.txt file after encryption. The Cerber ransomware viruses have been notorious for an immensely strong encryption and new versions of them are released as soon as malware researchers discover decryptors for them. Users who have been infected by this virus, should not comply by the ransom note dropped by this virus and not pay any type of ransom money to the cyber-criminals and not comply to any instructions in the ransom note of the virus. Instead, we advise you to follow this article, because we will update it with more information about Cerber ransomware’s 3rd version, how to remove it and alternative methods to try and restore your files.

Threat Summary


Cerber 3

Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” and a sound message all linking to a web page and a decryptor. Changed file names and the file-extension cerber3 has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Cerber 3


Malware Removal Tool

User ExperienceJoin our forum to Discuss Cerber 3 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cerber 3 Virus – How Does It Infect

Similar to the other Cerber(Cerber Version 2) viruses, this ransomware does not limit itself to a simple executable that infects the user. Instead, it is a whole operation that is created to synchronize a variety of infection and spamming technologies and techniques into one big and successful operation, called Cerber ransomware. This includes several different tools that are being used to infect users with the virus:

  • Malware obfuscators to hide Cerber 3 ransomware’s files from any real-time protections and firewalls.
  • File joiners that may conceal the payload dropper of the virus by combining them with legitimate files, like Microsoft Office documents that have malicious macros, for instance.
  • Exploit Kits which may be used for a successful download of the directly by connecting to the command and control server of the cyber-criminals from the infected machine itself.
  • Malicious JavaScript (.js) files disguised as legitimate files that may cause the infection. Themselves.

Such tools may be used in combinatain with spamming bots or spamming services that may spread the malicious files belonging to Cerber 3 ransowmare via several different methods, mainly in the form of uploads on malicious URLs or as e-mail attachments.

Below is an example of a spam e-mail, the malicious URLs of which may lead to a browser redirect that could cause a drive-by download infection with Cerber ransomware:


Cerber Ransowmare – In-Depth Information

As soon as it has been dropped on the computer, Cerber 3 may be dropped on key Windows folders with files that have different names. Several directories it may exist in are the following Windows targeted locations:


Along with CryptoWall and Locky ransomware, Cerber may also modify the registry entries of infected computers, to make the malicious executable that may be different type of file (.tmp, .dll, .js, .exe) run when Windows boots up and encrypt a wide variety of files even before the antivrus program of the computer has started. The registry entries to make it run on system startup are the following keys in Windows Registry Editor:

HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \Run
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunOnce
HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \RunOnce HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Run

As soon as Cerber 3 ransomware’s encryption, begins the user is doomed. The virus may immediately scan for a wide variety of file types and encrypt them as soon as it detects them:

→ .1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx, .asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho, .gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_, .ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx,.ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip

Cerber ransomware may not only encrypt almost any file on your computer beside the files essential to run Windows, but the virus may also change the names of the files as well. Files encrypted by Cerber 3 ransomware do not only have the .cerber3 file extension but they also have completely random names, preventing them from being identified. A tweetpost by the malware researcher PhysicalDrive0 indicates how the files look after encryption by Cerber 3 ransomware:


To encipher the files, the 3rd variant of this virus may use RSA or AES encryption algorithms and the virus may even use the so-called Cipher Block Chaining(CBC) mode which protects the encrypted files by permanently breaking them if you try to tamper with their code structure (decrypt them, for example).

After encrypting the files, Cerber 3 ransomware drops a ransom note, named # HELP DECRYPT #.txt that is primarily focused on notifying the user his situation is very dire.

Another variant of Cerber 3 employs a different ransom note, known as @___readme___@.txt:


Contents of the @___readme___@.txt note.

The ransom note may be located on every folder containing encrypted files or on the desktop and even on the %Startup% folder so that it opens every time Windows runs.

Furthermore, after the encryption and notification process is complete, Cerber ransomware may generate a unique decryption key which it sends to the cyber-criminals’ command and control servers. After this procedure is done, the malicious files of Cerber ransomware may be deleted to avoid any researchers from peeking into the virus.

The ransom instructions of the virus may lead to a Tor-based web page, similar to the following:


Cerber 3 Ransomware – Conclusion, Removal and File Restoration

The appearance of the 3rd version of this virus is a good indicator that it may either be a part of a large-scale ransomware operation that is well-organized or be sold by an organization as a service (RaaS). Either way, this is one of the biggest viruses out there and researchers strongly advise to immediately remove it and not pay any ransom money demanded.

To remove Cerber 3 ransowmare’s associated files, registry objects and other settings related to it, in case it is still residing on your computer, we advise following the step-by-step instructions below. They are designed so that they help in the best way possible to get rid of the virus methodologically. The most effective and fastest solution for complete removal of Cerber 3 ransowmare still remains to be the usage of an advanced anti-malware program. It will not only delete all associated files safely, but will also protect your computer in the future as well.

To try and restore files encoded by Cerber 3 ransomware, we strongly advise you to make sure that Cerber ransomware is fully deleted from your computer and then attempt using the file-restoration methods provided in step “3. Restore files encrypted by Cerber 3” below. They may not be 100% successful but, these methods are a good temporary solution until malware researchers release a decryptor. As soon as a decryptor has been released for this virus, we will update this article, so we advise you to check on it regularly.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website


  1. Avatarnico


    Do you have a solution to decrypt the ceber3 files?

    1. AvatarVencislav Krustev

      Hello, nico

      At the moment we are testing the older decryptor on a testing computer. You can try it also yourself. Here are the instructions:

      Bear in mind that these instructions are for the first variant of Cerber. However if this turns out to be a modified version of the first variant but still using the same strategy, there may be a method to decrypt the files soon.

      1. AvatarRohit

        Sir, Please tell us if you it works on cerber.3, i also got infected by cerber 3 and looking for solutions.Thanks.

  2. AvatarAlex

    Are there known HASH/HASH’s for this variant?

    1. AvatarVencislav Krustev

      Well, according to these guys, the situation with the HASH’s is quite relative:

      So even if there are there is a big variety, see..

  3. AvatarKarla

    Can I try to use cerber one decryptor on cerber three ?

    1. AvatarKarla

      Please help me, because the pc I’m using at work is infected with cerber3. I really need the files to be decrypted or I could Loose my job. Thanks in advance.

  4. Avatarrishabh dev tyagi

    Sir,I am also a victim of this cerber3.I was very angry on
    these shit dudes.But I didn’t lost my mind.They demand 500$.Today I have
    found a great solution for this ransomware.I was searching for the
    solution on various tech sites but found nothing.Sensors, if u want the
    solution then contact me on my recovery software worked for me.Sir can i get a job on your company?But the job must be top salary paying.Otherwise i will join other Antivirus tech solution organisation.

  5. AvatarKhalid

    Sir my file was also encrypt by cerber3 is there any solutions ?

    1. AvatarVencislav Krustev

      Hello, Khalid see the reply above : )

  6. AvatarAitor

    I will paciently wait for that people who work hard to provide a solution for us but I have a question to ask, if anyone could answer it. Why cerber encrypted videos can be reproduced and photos can not be seen? The encryption does not affect to videos but in the name and photos are fully encrypted?

    Thank you very much.

    1. AvatarVencislav Krustev

      Hello, it seems that either the code of the ransomware may be poorly written or there is some type of defense that stops it from fully encrypting everything. Make sure to backup all of the files while you wait for a decrypter, even the ones that you can reproduce, because you may need them.

  7. AvatarKhalid

    Good day ! Base in my case all of my excel files are encrypted but my video and pictures are okay.

    1. AvatarVencislav Krustev

      Hello Khalid,
      It seems that something interrupted the ransomware virus while it was encrypting files. It could be your antivirus protection (if you have any) or other type of protection. It is unfortunate that your excel files are encrypted, do you have any features that remember previous versions of excel documents you worked on, like shadow copies?

      1. AvatarKhalid

        Hello Sir,
        There is no shadow copies. We try to recover the files but all we recover are the encrypted files. Is there any solutions ?

      2. AvatarKhalid

        Sir can you teach me how to recover the shadow files.Thank you

  8. AvatarAngelo

    Vencislav Krustev buongiorno,
    la prego, sa dirmi come decriptare i file con estensione cerber3? Ho bisogno di un suo aiuto.

    1. AvatarVencislav Krustev

      Ciao, purtroppo a questo punto non vi è stato un decryptor rilasciato per i file crittografati da Cerber3 ransomware. Questo è il motivo per cui vi consiglio di provare programmi di recupero dati per ripristinare almeno alcuni dei file e seguire questo articolo. Vi aggiorneremo non appena c’è un decrypter. Grazie.

  9. AvatarRohit

    I have got infected by cerber 3 ransomware 3 days ago, If anyone got any solutions please let me know asap. Thanks.

    1. Avatarbrunonsv

      the solution (in portuguese Brasil): faça um backup e formate o sistema para liquidar o virus. Após renomeie cada um dos arquivos com a extensão de origem por exemplo: sdfsoid.cerber para xxx.xls

  10. Avatarbrunonsv

    the solution (in portuguese Brasil): basta renomear o arquivo de origem e o problema da criptografia está acabado. Por exemplo 124usxo.cerber para xxx.docx

  11. AvatarCihan Erdem

    hi, i can help you for your .enc and .encrypted files, please send me 1 or 2 encrypted files with ransom note file (html or txt),


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.