Remove Cerber2 Ransomware and Restore .cerber2 Encrypted Files - How to, Technology and PC Security Forum |

Remove Cerber2 Ransomware and Restore .cerber2 Encrypted Files


Update! According to reports of users the Cerber2 ransomware doesn’t seem to seek for temporary files (.tmp). That makes possible for the recovery of some recent .doc and .xls files by just opening their .tmp counterpart files.

The talking ransomware is back with a bang – malware researchers from TrendMicro got their hands on samples of Cerber2 ransomware and have confirmed that it is the real deal. They have observed an enhancement in the key generation function, so it can be harder for the researchers to decrypt this version. This new variant of Cerber ransomware encrypts a little over than 450 file types and gives five days to victims to pay up. The ransom which is asked initially is 175 US dollars and demanded to be paid in Bitcoins. After exactly five days the price doubles. Carefully read the article to see how to remove the ransomware and possibly decrypt your files.

Threat Summary

Short DescriptionThe ransomware will encrypt your files and show a ransom note. You are given five days to pay, and after that period the ransom price doubles.
SymptomsThe ransomware will encrypt files, and change their names with 10 random characters and the .cerber2 extension appended to each of them.
Distribution MethodExecutables, Spam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Cerber2


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Cerber2.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cerber2 Ransomware – Infection Spread


The Cerber2 ransomware has been spotted in the wild, spreading through executables, which use the icon of “Anka”. That is a video game character from the game bearing its name, and you can see an example of how the icon could look like, here on the right. The ransomware might spread the executable through spam email campaigns – putting the file as an attachment. Opening attachments of unknown origin or ones that come from suspicious emails is not advised. Social networks and file-sharing services could also have such files inside them, so be wary of what you click, download and open. Exploit Kits could be a possible entry point for the ransomware.

Cerber2 Ransomware – A Closer Look

Cerber2 is the latest variant of Cerber ransomware. That was confirmed by the TrendMicro researcher @panicall who received samples of the malware and had a thorough look at it.

He also found that Cerber2 ransomware has a blacklist for anti-malware programs (listed below) and that the ransomware is now wrapped (and not a bare file) to make it harder to be detected.
The blacklist is as follows:

  • Arcabit
  • Arcavir
  • Avast
  • BitDefender
  • Bullguard
  • EmsiSoft
  • ESET
  • eTrust
  • F-Secure
  • G Data
  • Kaspersky Lab
  • LavaSoft
  • TrustPort

Not only that, but the ransomware checks whether certain processes are active, and if they are, it shuts them down:

  • excel.exe
  • infopath.exe
  • msaccess.exe
  • mspub.exe
  • onenote.exe
  • outlook.exe
  • powerpnt.exe
  • steam.exe
  • sqlservr.exe
  • thebat.exe
  • thebat64.exe
  • thunderbird.exe
  • visio.exe
  • winword.exe
  • wordpad.exe

Afterward, Cerber2 ransomware encrypts files and places an image as a lock-screen, which is the ransom message. You can see a picture of it here:


The text from the ransom note reads:

Your documents, photos, databases, and other important files have been encrypted!
If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.

There is a list of temporary addresses to go on your personal page below:

If you go to any of the consecutive links, you will see these instructions loading in your browser:


Upon loading, the web page initiates the countdown counter of a five-day “promotion”. The price that is asked in the beginning is 0.30 Bitcoins and amounts to 175 US dollars. If you go past that date without paying the crooks, your price will be double and amount to 350 US dollars. It is not advised to pay cybercriminals – do not pay them, as this will support them and aid their goals and criminal activity further.

Cerber2 ransomware searches files and encrypts more than 450 file extensions.
You could see all of them right here:


→.1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx, .asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho, .gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_, .ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx,.ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip

Extensions source: Bleeping Computer

All files will get encrypted with the .cerber2 extension. In addition, the file names are renamed with ten random characters. The Cerber2 ransomware is reported to uses Windows API CryptGenRandom to generate keys. This variant uses 256-bit keys.

It is unknown whether Cerber2 ransomware deletes Shadow Volume Copies from the Windows operating system, but the possibility is very high.

Remove Cerber2 Ransomware and Restore .cerber2 Files

If your computer got compromised and is infected with the Cerber2 ransomware, you should have some experience with removing malware before dealing with it. You should get rid of the ransomware quickly before it can spread further on the network and encrypt other files. The recommended action for you to take is removing the ransomware completely by following the step-by-step instructions guide written down below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts


  1. AvatarFCantin

    Unfortunately, I can confirm that Cerber2 ransomware deletes Shadow Volume Copies from the Windows operating system. At least, it’s what happened on my PC.

    1. SensorsTechForumSensorsTechForum

      Hi FCantin,

      What actions have you taken so far?

      1. AvatarFCantin

        First of all, I got rid of the ransomware with SpyHunter (Enigma Software) and restore my registry with RegHunter (Enigma Software). Then I tried, without much success, to restore the encrypted files with: Stellar Phoenix Windows Data Recovery, Recuva, EaseUS Data Recovery and Jihosoft File Recovery… In fact, I was only able to restore a few pictures (maybe 50 out of 1000 !!!).
        On the other hand, I have to say that Stellar Phoenix helped me restore some important .doc (Microsoft Word) and .pdf files. Also, take note that Cerber2 doesn’t seem to search for Word temporary files (.tmp). So it’s possible to recover some of your recent .doc files by simply opening the .tmp files.
        In short, I’ve lost some important data, but one thing I know for sure, I will not pay the F**KING RANSOM ! They can go f**k themselves ! ;)

        1. SensorsTechForumSensorsTechForum

          Hi FCantin,

          Thank you for the information! And don’t forget to backup your data from now on!


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share