Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Cerber2 Ransomware and Restore .cerber2 Encrypted Files

STF-cerber2-ransomware-cerber-crypto-virus-screen-lock-desktop-ransom-note

Update! According to reports of users the Cerber2 ransomware doesn’t seem to seek for temporary files (.tmp). That makes possible for the recovery of some recent .doc and .xls files by just opening their .tmp counterpart files.

The talking ransomware is back with a bang – malware researchers from TrendMicro got their hands on samples of Cerber2 ransomware and have confirmed that it is the real deal. They have observed an enhancement in the key generation function, so it can be harder for the researchers to decrypt this version. This new variant of Cerber ransomware encrypts a little over than 450 file types and gives five days to victims to pay up. The ransom which is asked initially is 175 US dollars and demanded to be paid in Bitcoins. After exactly five days the price doubles. Carefully read the article to see how to remove the ransomware and possibly decrypt your files.

Threat Summary

NameCerber2
TypeRansomware
Short DescriptionThe ransomware will encrypt your files and show a ransom note. You are given five days to pay, and after that period the ransom price doubles.
SymptomsThe ransomware will encrypt files, and change their names with 10 random characters and the .cerber2 extension appended to each of them.
Distribution MethodExecutables, Spam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Cerber2

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Cerber2.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cerber2 Ransomware – Infection Spread

STF-cerber2-ransomware-cerber-crypto-virus-executable-icon-anka

The Cerber2 ransomware has been spotted in the wild, spreading through executables, which use the icon of “Anka”. That is a video game character from the game bearing its name, and you can see an example of how the icon could look like, here on the right. The ransomware might spread the executable through spam email campaigns – putting the file as an attachment. Opening attachments of unknown origin or ones that come from suspicious emails is not advised. Social networks and file-sharing services could also have such files inside them, so be wary of what you click, download and open. Exploit Kits could be a possible entry point for the ransomware.

Cerber2 Ransomware – A Closer Look

Cerber2 is the latest variant of Cerber ransomware. That was confirmed by the TrendMicro researcher @panicall who received samples of the malware and had a thorough look at it.

He also found that Cerber2 ransomware has a blacklist for anti-malware programs (listed below) and that the ransomware is now wrapped (and not a bare file) to make it harder to be detected.
The blacklist is as follows:

  • Arcabit
  • Arcavir
  • Avast
  • BitDefender
  • Bullguard
  • EmsiSoft
  • ESET
  • eTrust
  • F-Secure
  • G Data
  • Kaspersky Lab
  • LavaSoft
  • TrustPort

Not only that, but the ransomware checks whether certain processes are active, and if they are, it shuts them down:

  • excel.exe
  • infopath.exe
  • msaccess.exe
  • mspub.exe
  • onenote.exe
  • outlook.exe
  • powerpnt.exe
  • steam.exe
  • sqlservr.exe
  • thebat.exe
  • thebat64.exe
  • thunderbird.exe
  • visio.exe
  • winword.exe
  • wordpad.exe

Afterward, Cerber2 ransomware encrypts files and places an image as a lock-screen, which is the ransom message. You can see a picture of it here:

STF-cerber2-ransomware-cerber-crypto-virus-screen-lock-desktop-ransom-note

The text from the ransom note reads:

Your documents, photos, databases, and other important files have been encrypted!
If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.

There is a list of temporary addresses to go on your personal page below:

If you go to any of the consecutive links, you will see these instructions loading in your browser:

STF-cerber2-ransomware-cerber-crypto-virus-ransom-instructions-site

Upon loading, the web page initiates the countdown counter of a five-day “promotion”. The price that is asked in the beginning is 0.30 Bitcoins and amounts to 175 US dollars. If you go past that date without paying the crooks, your price will be double and amount to 350 US dollars. It is not advised to pay cybercriminals – do not pay them, as this will support them and aid their goals and criminal activity further.

Cerber2 ransomware searches files and encrypts more than 450 file extensions.
You could see all of them right here:

STF-cerber2-ransomware-cerber-crypto-virus-cerber2-encrypted-file

→.1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx, .asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho, .gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_, .ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx,.ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip

Extensions source: Bleeping Computer

All files will get encrypted with the .cerber2 extension. In addition, the file names are renamed with ten random characters. The Cerber2 ransomware is reported to uses Windows API CryptGenRandom to generate keys. This variant uses 256-bit keys.

It is unknown whether Cerber2 ransomware deletes Shadow Volume Copies from the Windows operating system, but the possibility is very high.

Remove Cerber2 Ransomware and Restore .cerber2 Files

If your computer got compromised and is infected with the Cerber2 ransomware, you should have some experience with removing malware before dealing with it. You should get rid of the ransomware quickly before it can spread further on the network and encrypt other files. The recommended action for you to take is removing the ransomware completely by following the step-by-step instructions guide written down below.

Manually delete Cerber2 from your computer

Note! Substantial notification about the Cerber2 threat: Manual removal of Cerber2 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Cerber2 files and objects.
2. Find malicious files created by Cerber2 on your PC.
3. Fix registry entries created by Cerber2 on your PC.

Automatically remove Cerber2 by downloading an advanced anti-malware program

1. Remove Cerber2 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Cerber2 in the future
3. Restore files encrypted by Cerber2
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

  • FCantin

    Unfortunately, I can confirm that Cerber2 ransomware deletes Shadow Volume Copies from the Windows operating system. At least, it’s what happened on my PC.

    • Hi FCantin,

      What actions have you taken so far?

      • FCantin

        First of all, I got rid of the ransomware with SpyHunter (Enigma Software) and restore my registry with RegHunter (Enigma Software). Then I tried, without much success, to restore the encrypted files with: Stellar Phoenix Windows Data Recovery, Recuva, EaseUS Data Recovery and Jihosoft File Recovery… In fact, I was only able to restore a few pictures (maybe 50 out of 1000 !!!).
        On the other hand, I have to say that Stellar Phoenix helped me restore some important .doc (Microsoft Word) and .pdf files. Also, take note that Cerber2 doesn’t seem to search for Word temporary files (.tmp). So it’s possible to recover some of your recent .doc files by simply opening the .tmp files.
        In short, I’ve lost some important data, but one thing I know for sure, I will not pay the F**KING RANSOM ! They can go f**k themselves ! 😉

        • Hi FCantin,

          Thank you for the information! And don’t forget to backup your data from now on!

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.