This article will help you remove .cerber3 file extension virus (Locky ransomware) successfully. Follow the ransomware removal instructions below.

One of the most devastating viruses out there – Cerber ransomware has been released in a 3rd version, adding a .cerber3 file extension to encrypted files and changing the file-names as well, leaving the # HELP DECRYPT #.txt file after encryption. The Cerber ransomware viruses have been notorious for an immensely strong encryption and new versions of them are released as soon as malware researchers discover decryptors for them. Users who have been infected by this virus, should not comply by the ransom note dropped by this virus and not pay any type of ransom money to the cyber-criminals and not comply to any instructions in the ransom note of the virus. Instead, we advise you to follow this article, because we will update it with more information about Cerber ransomware’s 3rd version, how to remove it and alternative methods to try and restore your files.

Threat Summary

Name	Cerber 3
Type	Ransomware
Short Description	The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
Symptoms	The user may witness ransom notes and “instructions” and a sound message all linking to a web page and a decryptor. Changed file names and the file-extension cerber3 has been used.
Distribution Method	Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool	See If Your System Has Been Affected by Cerber 3 Download Malware Removal Tool
User Experience	Join our forum to Discuss Cerber 3 Ransomware.
Data Recovery Tool	Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cerber 3 Virus – How Does It Infect

Similar to the other Cerber(Cerber Version 2) viruses, this ransomware does not limit itself to a simple executable that infects the user. Instead, it is a whole operation that is created to synchronize a variety of infection and spamming technologies and techniques into one big and successful operation, called Cerber ransomware. This includes several different tools that are being used to infect users with the virus:

Malware obfuscators to hide Cerber 3 ransomware’s files from any real-time protections and firewalls.
File joiners that may conceal the payload dropper of the virus by combining them with legitimate files, like Microsoft Office documents that have malicious macros, for instance.
Exploit Kits which may be used for a successful download of the directly by connecting to the command and control server of the cyber-criminals from the infected machine itself.
Malicious JavaScript (.js) files disguised as legitimate files that may cause the infection. Themselves.

Such tools may be used in combinatain with spamming bots or spamming services that may spread the malicious files belonging to Cerber 3 ransowmare via several different methods, mainly in the form of uploads on malicious URLs or as e-mail attachments.

Below is an example of a spam e-mail, the malicious URLs of which may lead to a browser redirect that could cause a drive-by download infection with Cerber ransomware:

Cerber Ransowmare – In-Depth Information

As soon as it has been dropped on the computer, Cerber 3 may be dropped on key Windows folders with files that have different names. Several directories it may exist in are the following Windows targeted locations:

Along with CryptoWall and Locky ransomware, Cerber may also modify the registry entries of infected computers, to make the malicious executable that may be different type of file (.tmp, .dll, .js, .exe) run when Windows boots up and encrypt a wide variety of files even before the antivrus program of the computer has started. The registry entries to make it run on system startup are the following keys in Windows Registry Editor:

HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \Run
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunOnce

HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \RunOnce HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Run

As soon as Cerber 3 ransomware’s encryption, begins the user is doomed. The virus may immediately scan for a wide variety of file types and encrypt them as soon as it detects them:

→ .1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx, .asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho, .gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_, .ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx,.ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip

Cerber ransomware may not only encrypt almost any file on your computer beside the files essential to run Windows, but the virus may also change the names of the files as well. Files encrypted by Cerber 3 ransomware do not only have the .cerber3 file extension but they also have completely random names, preventing them from being identified. A tweetpost by the malware researcher PhysicalDrive0 indicates how the files look after encryption by Cerber 3 ransomware:

To encipher the files, the 3rd variant of this virus may use RSA or AES encryption algorithms and the virus may even use the so-called Cipher Block Chaining(CBC) mode which protects the encrypted files by permanently breaking them if you try to tamper with their code structure (decrypt them, for example).

After encrypting the files, Cerber 3 ransomware drops a ransom note, named # HELP DECRYPT #.txt that is primarily focused on notifying the user his situation is very dire.

Another variant of Cerber 3 employs a different ransom note, known as @[email protected]:

Contents of the @[email protected] note.

The ransom note may be located on every folder containing encrypted files or on the desktop and even on the %Startup% folder so that it opens every time Windows runs.

Furthermore, after the encryption and notification process is complete, Cerber ransomware may generate a unique decryption key which it sends to the cyber-criminals’ command and control servers. After this procedure is done, the malicious files of Cerber ransomware may be deleted to avoid any researchers from peeking into the virus.

The ransom instructions of the virus may lead to a Tor-based web page, similar to the following:

Cerber 3 Ransomware – Conclusion, Removal and File Restoration

The appearance of the 3rd version of this virus is a good indicator that it may either be a part of a large-scale ransomware operation that is well-organized or be sold by an organization as a service (RaaS). Either way, this is one of the biggest viruses out there and researchers strongly advise to immediately remove it and not pay any ransom money demanded.

To remove Cerber 3 ransowmare’s associated files, registry objects and other settings related to it, in case it is still residing on your computer, we advise following the step-by-step instructions below. They are designed so that they help in the best way possible to get rid of the virus methodologically. The most effective and fastest solution for complete removal of Cerber 3 ransowmare still remains to be the usage of an advanced anti-malware program. It will not only delete all associated files safely, but will also protect your computer in the future as well.

To try and restore files encoded by Cerber 3 ransomware, we strongly advise you to make sure that Cerber ransomware is fully deleted from your computer and then attempt using the file-restoration methods provided in step “3. Restore files encrypted by Cerber 3” below. They may not be 100% successful but, these methods are a good temporary solution until malware researchers release a decryptor. As soon as a decryptor has been released for this virus, we will update this article, so we advise you to check on it regularly.

Manually delete Cerber 3 from your computer

Note! Substantial notification about the Cerber 3 threat: Manual removal of Cerber 3 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Cerber 3 files and objects.

2. Find malicious files created by Cerber 3 on your PC.

3. Fix registry entries created by Cerber 3 on your PC.

Automatically remove Cerber 3 by downloading an advanced anti-malware program

1. Remove Cerber 3 with SpyHunter Anti-Malware Tool

2. Back up your data to secure it against infections and file encryption by Cerber 3 in the future

Back up your data to secure it against attacks in the future

IMPORTANT! Before reading the Windows backup instructions, we highly recommend to back up your data automatically with cloud backup and insure it against any type of data loss on your device, even the most severe. We recommend reading more about and downloading SOS Online Backup .

To back up your files via Windows and prevent any future intrusions, follow these instructions:

1. For Windows 7 and earlier

1. For Windows 8, 8.1 and 10

1. Enabling the Windows Defense Feature (Previous Versions)

1-Click on Windows Start Menu

2-Type Backup And Restore
3-Open it and click on Set Up Backup

4-A window will appear asking you where to set up backup. You should have a flash drive or an external hard drive. Mark it by clicking on it with your mouse then click on Next.

5-On the next window, the system will ask you what do you want to backup. Choose the ‘Let Me Choose’ option and then click on Next.

6-Click on ‘Save settings and run backup’ on the next window in order to protect your files from possible attacks by Cerber 3.

1-Press Windows button + R

2-In the window type ‘filehistory’ and press Enter

3-A File History window will appear. Click on ‘Configure file history settings’

4-The configuration menu for File History will appear. Click on ‘Turn On’. After its on, click on Select Drive in order to select the backup drive. It is recommended to choose an external HDD, SSD or a USB stick whose memory capacity is corresponding to the size of the files you want to backup.

5-Select the drive then click on ‘Ok’ in order to set up file backup and protect yourself from Cerber 3.

1- Press Windows button + R keys.

2- A run windows should appear. In it type ‘sysdm.cpl’ and then click on Run.

3- A System Properties windows should appear. In it choose System Protection.

5- Click on Turn on system protection and select the size on the hard disk you want to utilize for system protection.
6- Click on Ok and you should see an indication in Protection settings that the protection from Cerber 3 is on.

Restoring a file via Windows Defense feature:
1-Right-click on the encrypted file, then choose Properties.

2-Click on the Previous Versions tab and then mark the last version of the file.

3-Click on Apply and Ok and the file encrypted by Cerber 3 should be restored.

3. Restore files encrypted by Cerber 3

Optional: Using Alternative Anti-Malware Tools

How to Find Decryption Key for Files Encrypted By Cerber 3 Ransomware

We have designed to make a tutorial which is as simple as possible to theoretically explain how could you detect your decryption key. Find out how

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

22 Comments

nico August 31, 2016 at 9:59 am
Hello,
Do you have a solution to decrypt the ceber3 files?
Reply ↓
1. Vencislav Krustev August 31, 2016 at 1:30 pm
  Hello, nico
  At the moment we are testing the older decryptor on a testing computer. You can try it also yourself. Here are the instructions:
  http://sensorstechforum.com/decrypt-encrypted-files-cerber-ransomware/
  Bear in mind that these instructions are for the first variant of Cerber. However if this turns out to be a modified version of the first variant but still using the same strategy, there may be a method to decrypt the files soon.
  Reply ↓
  1. Rohit September 19, 2016 at 6:30 am
    Sir, Please tell us if you it works on cerber.3, i also got infected by cerber 3 and looking for solutions.Thanks.
    Reply ↓
Alex September 1, 2016 at 1:57 pm
Are there known HASH/HASH’s for this variant?
Reply ↓
1. Vencislav Krustev September 2, 2016 at 8:20 am
  Well, according to these guys, the situation with the HASH’s is quite relative: https://www.invincea.com/2016/06/hash-factory-new-cerber-ransomware-morphs-every-15-seconds/
  So even if there are there is a big variety, see..
  Reply ↓
Karla September 6, 2016 at 8:03 am
Can I try to use cerber one decryptor on cerber three ?
Reply ↓
1. Karla September 6, 2016 at 8:06 am
  Please help me, because the pc I’m using at work is infected with cerber3. I really need the files to be decrypted or I could Loose my job. 🙁 Thanks in advance.
  Reply ↓
rishabh dev tyagi September 7, 2016 at 3:07 pm
Sir,I am also a victim of this cerber3.I was very angry on
these shit dudes.But I didn’t lost my mind.They demand 500$.Today I have
found a great solution for this ransomware.I was searching for the
solution on various tech sites but found nothing.Sensors, if u want the
solution then contact me on my [email protected] recovery software worked for me.Sir can i get a job on your company?But the job must be top salary paying.Otherwise i will join other Antivirus tech solution organisation.
Reply ↓
Khalid September 8, 2016 at 7:47 am
Sir my file was also encrypt by cerber3 is there any solutions ?
Reply ↓
1. Vencislav Krustev September 19, 2016 at 8:36 am
  Hello, Khalid see the reply above : )
  Reply ↓
Aitor September 8, 2016 at 5:58 pm
I will paciently wait for that people who work hard to provide a solution for us but I have a question to ask, if anyone could answer it. Why cerber encrypted videos can be reproduced and photos can not be seen? The encryption does not affect to videos but in the name and photos are fully encrypted?
Thank you very much.
Reply ↓
1. Vencislav Krustev September 19, 2016 at 8:36 am
  Hello, it seems that either the code of the ransomware may be poorly written or there is some type of defense that stops it from fully encrypting everything. Make sure to backup all of the files while you wait for a decrypter, even the ones that you can reproduce, because you may need them.
  Reply ↓
Khalid September 9, 2016 at 1:51 am
Good day ! Base in my case all of my excel files are encrypted but my video and pictures are okay.
Reply ↓
1. Vencislav Krustev September 19, 2016 at 8:34 am
  Hello Khalid,
  It seems that something interrupted the ransomware virus while it was encrypting files. It could be your antivirus protection (if you have any) or other type of protection. It is unfortunate that your excel files are encrypted, do you have any features that remember previous versions of excel documents you worked on, like shadow copies?
  Reply ↓
  1. Khalid September 19, 2016 at 9:30 am
    Hello Sir,
    There is no shadow copies. We try to recover the files but all we recover are the encrypted files. Is there any solutions ?
    Reply ↓
  2. Khalid September 19, 2016 at 9:39 am
    Sir can you teach me how to recover the shadow files.Thank you
    Reply ↓
Angelo September 17, 2016 at 3:53 pm
Vencislav Krustev buongiorno,
la prego, sa dirmi come decriptare i file con estensione cerber3? Ho bisogno di un suo aiuto.
Grazie
Reply ↓
1. Vencislav Krustev September 19, 2016 at 8:33 am
  Ciao, purtroppo a questo punto non vi è stato un decryptor rilasciato per i file crittografati da Cerber3 ransomware. Questo è il motivo per cui vi consiglio di provare programmi di recupero dati per ripristinare almeno alcuni dei file e seguire questo articolo. Vi aggiorneremo non appena c’è un decrypter. Grazie.
  Reply ↓
Rohit September 19, 2016 at 6:31 am
I have got infected by cerber 3 ransomware 3 days ago, If anyone got any solutions please let me know asap. Thanks.
Reply ↓
1. brunonsv September 22, 2016 at 12:37 am
  the solution (in portuguese Brasil): faça um backup e formate o sistema para liquidar o virus. Após renomeie cada um dos arquivos com a extensão de origem por exemplo: sdfsoid.cerber para xxx.xls
  Reply ↓
brunonsv September 22, 2016 at 12:35 am
the solution (in portuguese Brasil): basta renomear o arquivo de origem e o problema da criptografia está acabado. Por exemplo 124usxo.cerber para xxx.docx
Reply ↓
Cihan Erdem October 12, 2016 at 1:23 pm
hi, i can help you for your .enc and .encrypted files, please send me 1 or 2 encrypted files with ransom note file (html or txt), [email protected]
Reply ↓

Hey you,
BE IN THE KNOW!

Remove Cerber 3 Ransomware and Restore .cerber3 Encrypted Files

Threat Summary