Update! According to reports of users the Cerber2 ransomware doesn’t seem to seek for temporary files (.tmp). That makes possible for the recovery of some recent .doc and .xls files by just opening their .tmp counterpart files.
The talking ransomware is back with a bang – malware researchers from TrendMicro got their hands on samples of Cerber2 ransomware and have confirmed that it is the real deal. They have observed an enhancement in the key generation function, so it can be harder for the researchers to decrypt this version. This new variant of Cerber ransomware encrypts a little over than 450 file types and gives five days to victims to pay up. The ransom which is asked initially is 175 US dollars and demanded to be paid in Bitcoins. After exactly five days the price doubles. Carefully read the article to see how to remove the ransomware and possibly decrypt your files.
|Short Description||The ransomware will encrypt your files and show a ransom note. You are given five days to pay, and after that period the ransom price doubles.|
|Symptoms||The ransomware will encrypt files, and change their names with 10 random characters and the .cerber2 extension appended to each of them.|
|Distribution Method||Executables, Spam Emails, File Sharing Networks|
|Detection Tool|| See If Your System Has Been Affected by Cerber2 |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Cerber2.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Cerber2 Ransomware – Infection Spread
The Cerber2 ransomware has been spotted in the wild, spreading through executables, which use the icon of “Anka”. That is a video game character from the game bearing its name, and you can see an example of how the icon could look like, here on the right. The ransomware might spread the executable through spam email campaigns – putting the file as an attachment. Opening attachments of unknown origin or ones that come from suspicious emails is not advised. Social networks and file-sharing services could also have such files inside them, so be wary of what you click, download and open. Exploit Kits could be a possible entry point for the ransomware.
Cerber2 Ransomware – A Closer Look
He also found that Cerber2 ransomware has a blacklist for anti-malware programs (listed below) and that the ransomware is now wrapped (and not a bare file) to make it harder to be detected.
The blacklist is as follows:
- G Data
- Kaspersky Lab
Not only that, but the ransomware checks whether certain processes are active, and if they are, it shuts them down:
Afterward, Cerber2 ransomware encrypts files and places an image as a lock-screen, which is the ransom message. You can see a picture of it here:
The text from the ransom note reads:
Your documents, photos, databases, and other important files have been encrypted!
If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.
There is a list of temporary addresses to go on your personal page below:
If you go to any of the consecutive links, you will see these instructions loading in your browser:
Upon loading, the web page initiates the countdown counter of a five-day “promotion”. The price that is asked in the beginning is 0.30 Bitcoins and amounts to 175 US dollars. If you go past that date without paying the crooks, your price will be double and amount to 350 US dollars. It is not advised to pay cybercriminals – do not pay them, as this will support them and aid their goals and criminal activity further.
Cerber2 ransomware searches files and encrypts more than 450 file extensions.
You could see all of them right here:
→.1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx, .asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho, .gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_, .ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx,.ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip
Extensions source: Bleeping Computer
All files will get encrypted with the .cerber2 extension. In addition, the file names are renamed with ten random characters. The Cerber2 ransomware is reported to uses Windows API CryptGenRandom to generate keys. This variant uses 256-bit keys.
It is unknown whether Cerber2 ransomware deletes Shadow Volume Copies from the Windows operating system, but the possibility is very high.
Remove Cerber2 Ransomware and Restore .cerber2 Files
If your computer got compromised and is infected with the Cerber2 ransomware, you should have some experience with removing malware before dealing with it. You should get rid of the ransomware quickly before it can spread further on the network and encrypt other files. The recommended action for you to take is removing the ransomware completely by following the step-by-step instructions guide written down below.
Manually delete Cerber2 from your computer
Note! Substantial notification about the Cerber2 threat: Manual removal of Cerber2 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.