One of the most devastating viruses out there – Cerber ransomware has been released in a 3rd version, adding a .cerber3 file extension to encrypted files and changing the file-names as well, leaving the # HELP DECRYPT #.txt file after encryption. The Cerber ransomware viruses have been notorious for an immensely strong encryption and new versions of them are released as soon as malware researchers discover decryptors for them. Users who have been infected by this virus, should not comply by the ransom note dropped by this virus and not pay any type of ransom money to the cyber-criminals and not comply to any instructions in the ransom note of the virus. Instead, we advise you to follow this article, because we will update it with more information about Cerber ransomware’s 3rd version, how to remove it and alternative methods to try and restore your files.
|Short Description||The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.|
|Symptoms||The user may witness ransom notes and “instructions” and a sound message all linking to a web page and a decryptor. Changed file names and the file-extension cerber3 has been used.|
|Detection Tool|| See If Your System Has Been Affected by Cerber 3 |
Malware Removal Tool
|User Experience||Join our forum to Discuss Cerber 3 Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Cerber 3 Virus – How Does It Infect
Similar to the other Cerber(Cerber Version 2) viruses, this ransomware does not limit itself to a simple executable that infects the user. Instead, it is a whole operation that is created to synchronize a variety of infection and spamming technologies and techniques into one big and successful operation, called Cerber ransomware. This includes several different tools that are being used to infect users with the virus:
- Malware obfuscators to hide Cerber 3 ransomware’s files from any real-time protections and firewalls.
- File joiners that may conceal the payload dropper of the virus by combining them with legitimate files, like Microsoft Office documents that have malicious macros, for instance.
- Exploit Kits which may be used for a successful download of the directly by connecting to the command and control server of the cyber-criminals from the infected machine itself.
Such tools may be used in combinatain with spamming bots or spamming services that may spread the malicious files belonging to Cerber 3 ransowmare via several different methods, mainly in the form of uploads on malicious URLs or as e-mail attachments.
Below is an example of a spam e-mail, the malicious URLs of which may lead to a browser redirect that could cause a drive-by download infection with Cerber ransomware:
Cerber Ransowmare – In-Depth Information
As soon as it has been dropped on the computer, Cerber 3 may be dropped on key Windows folders with files that have different names. Several directories it may exist in are the following Windows targeted locations:
Along with CryptoWall and Locky ransomware, Cerber may also modify the registry entries of infected computers, to make the malicious executable that may be different type of file (.tmp, .dll, .js, .exe) run when Windows boots up and encrypt a wide variety of files even before the antivrus program of the computer has started. The registry entries to make it run on system startup are the following keys in Windows Registry Editor:
As soon as Cerber 3 ransomware’s encryption, begins the user is doomed. The virus may immediately scan for a wide variety of file types and encrypt them as soon as it detects them:
Cerber ransomware may not only encrypt almost any file on your computer beside the files essential to run Windows, but the virus may also change the names of the files as well. Files encrypted by Cerber 3 ransomware do not only have the .cerber3 file extension but they also have completely random names, preventing them from being identified. A tweetpost by the malware researcher PhysicalDrive0 indicates how the files look after encryption by Cerber 3 ransomware:
To encipher the files, the 3rd variant of this virus may use RSA or AES encryption algorithms and the virus may even use the so-called Cipher Block Chaining(CBC) mode which protects the encrypted files by permanently breaking them if you try to tamper with their code structure (decrypt them, for example).
After encrypting the files, Cerber 3 ransomware drops a ransom note, named # HELP DECRYPT #.txt that is primarily focused on notifying the user his situation is very dire.
Another variant of Cerber 3 employs a different ransom note, known as @___readme___@.txt:
The ransom note may be located on every folder containing encrypted files or on the desktop and even on the %Startup% folder so that it opens every time Windows runs.
Furthermore, after the encryption and notification process is complete, Cerber ransomware may generate a unique decryption key which it sends to the cyber-criminals’ command and control servers. After this procedure is done, the malicious files of Cerber ransomware may be deleted to avoid any researchers from peeking into the virus.
The ransom instructions of the virus may lead to a Tor-based web page, similar to the following:
Cerber 3 Ransomware – Conclusion, Removal and File Restoration
The appearance of the 3rd version of this virus is a good indicator that it may either be a part of a large-scale ransomware operation that is well-organized or be sold by an organization as a service (RaaS). Either way, this is one of the biggest viruses out there and researchers strongly advise to immediately remove it and not pay any ransom money demanded.
To remove Cerber 3 ransowmare’s associated files, registry objects and other settings related to it, in case it is still residing on your computer, we advise following the step-by-step instructions below. They are designed so that they help in the best way possible to get rid of the virus methodologically. The most effective and fastest solution for complete removal of Cerber 3 ransowmare still remains to be the usage of an advanced anti-malware program. It will not only delete all associated files safely, but will also protect your computer in the future as well.
To try and restore files encoded by Cerber 3 ransomware, we strongly advise you to make sure that Cerber ransomware is fully deleted from your computer and then attempt using the file-restoration methods provided in step “3. Restore files encrypted by Cerber 3” below. They may not be 100% successful but, these methods are a good temporary solution until malware researchers release a decryptor. As soon as a decryptor has been released for this virus, we will update this article, so we advise you to check on it regularly.