Remove Cerber 4.1.0 Ransomware and Restore Your Files (Updated Cerber v4) - How to, Technology and PC Security Forum |

Remove Cerber 4.1.0 Ransomware and Restore Your Files (Updated Cerber v4)

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

cerber-4-1-0-ransomware-virus-sensorstechforum-fortinet-comIt was not long before the new Cerber ransomware which many seem to call version 4.0 received an overhaul. The new version now uses more optimized code for the modification and encryption of the infected computers and a new wallpaper stating it’s version to 4.1.0 and many other improvements. The virus however still uses the same README.hta file, just like the original version does. In case you have been infected by this updated strain of Cerber, calling itself 4.1.0 we advise you to immediately read this article and learn more about it and how to remove this iteration of the virus and in addition to this see our suggested alternative methods to try and restore your encrypted files.

Threat Summary

NameCerber 4.1.0
TypeRansomware Virus
Short DescriptionThis Cerber ransomware variant encrypts files with the RSA or AES ciphers adding four randomly generated A-Z 0-9 characters(ex. .z33f) as a file extension to the encrypted files and asks a ransom payoff for decryption.
SymptomsFiles are enciphered and become inaccessible by any type of software. A ransom note with instructions for paying the ransom shows as a “README.hta” file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks, Malicious Executable in Torrent Trackers.
Detection Tool See If Your System Has Been Affected by Cerber 4.1.0


Malware Removal Tool

User ExperienceJoin our forum to Discuss Crysis Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Technical Insight of The Cerber 4.1.0 Virus

The previous version of Cerber 4.1.1, named 4.1.0 does not have many differences when compared to the newer one. It is still as massively widespread as most Cerber iterations, like .cerber, .cerber2 and .cerber3 were and it is still using a random file extension like all of the Cerber 4.0 version. To better help you understand how the infection process by Cerber 4.1.0 works we have decided to explain it methodologically.

Stage 1: Distribution and Infection

In order to be spread it, the creators of Cerber ransomware have used a very common technique – exploit kit. And not just any exploit kit too – they have undertaken massive campaigns to spread their ransomware virus via a very advanced and notorious exploit kit – Rig EK. This type of collaboration also may involve the same people who are responsible for spreading Dridex malware and the 4.1.1 version’s malicious files. Whatever the case may be, you can get infected with Cerber most likely by clicking on a fake and malicious web link (URL). But how to get one to click on such web link.

Malware researchers have discovered several methods that may be used by cyber-criminals that could perform this and users should beware of those in the recent months to come:

  • Malicious URLs posted and concealed behind Facebook posts that only appear to be legitimate. Some Facebook viruses may take over whole profiles or create duplicate ones to make the posts seem more legitimate.
  • Web links posted via referral spam as comments on online forums and websites.
  • URLs that may be posted if your computer has been infected by other malware or a PUP (Potentially Unwanted Program).
  • Malicious web links that may have been displayed as fake search results by suspicious search engines.
  • URLs concealed behind fake social media buttons or others sent out as e-mail spam.

There are many other methods to cause an infection via a URL, but these ones are the primary ones which researchers warn us about. As soon as the future victim’s computer has connected to the malicious URL, a so-called drive-by-download is administered, meaning that RIG Exploit Kit downloads and opens automatically after which causes the infection.

After infection has been caused, the RIG Exploit Kit automatically connects to the web, more specifically to Cerber’s hosting web servers to download the payload of the virus. And these severs are not one or two, but in the tens, even hundreds, due to the fact that the ransomware uses advanced spamming methods.

After the exploit kit downloads the payload of Cerber 4.1.0 it may situate it in the commonly used Windows folders and from there start injecting malicious scripts into legitimate Windows processes to perform malicioius activities. The malicious payload may have different file formats as well as different names, for example:

commonly used file names and folders

Stage 2: Post Infection Activity of Cerber 4.1.1

After infection, Cerber may modify the Registry Editor of Windows where it has the chance of creating custom registry entries that may change the wallpaper, run the malicious executable responsible for the encryption of the files and perform other activities. The targeted registry entries by this iteration of Cerber most likely are:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

After having modified all of the registry entries, the virus may begin the encryption procedure. The encryption procedure may not be as sophisticated as it may seem, but it generally has support for the widely used file types, like:

  • Videos.
  • Audio files.
  • Image files.
  • Database files.
  • Microsoft Word sheets.
  • Microsoft Excel documents.
  • Power Point presentations.
  • Files associated with Adobe Photoshop.
  • Database files associated with different programs.
  • Virtual drives.
  • E-mail files (Microsoft Outlook).

After the files are encrypted they assume the typical for v4 Cerber variants random file extension with A-Z 0-9 symbols as well as changed file names:


After this has been done, Cerber ransomware changes the wallpaper with it’s distinctive 4.1.0 notification.


The note prompts users to open the Cerber 4.1.0 payment page, which includes more instructions on how to pay the ransom:


Remove Cerber 4.1.0 Ransomware and Restore Randomly Encrypted Files

The bottom line is that Cerber is continuing to evolve and rather fast almost as if it is competing with the other big “player” in the ransomware world – the Locky virus. Anyone who has become an unfortunate victim and sees the above image as a wallpaper is advised to immediately remove the virus and try the alternative methods in step “2. Restore files encrypted by Cerber 4.1.0” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

1 Comment

  1. Avatarcrapcbm

    removing is not the problem
    but as we can see here, you all only copy the removal, but have really no clue how te recrypt the files
    so poor … hanging brain?


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share