Yet another version of Gerber ransomware has been detected in the wild, following it’s predecessor Gerber Ransomware version 1. The virus is very close to another notorious ransom virus, calledCerber Ransomware 5.0. The main purpose of these viruses is to encrypt the files on the computers that are compromised by them and then add their own file extenson, which in this case is .gerber5 to extort victims to pay ransom in BitCoin or other cryptocurrencies in order to be able to use the files on the infected machine once again. If your computer has been infected by Gerber Ransomware 5.0, we recommend that you read the article underneath.
|Name||Gerber Ransomware 5.0|
|Short Description||A variant of Gerber Ransomware. Encyrpts files and holds them hostage until the victim pays ransom.|
|Symptoms||Files end in the .gerber5 file suffix. The wallpaper is changed to Gerber 5’s custom one. A ransom note, called GRBR Decryptor is added and automatically opens with the extortion message.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by Gerber Ransomware 5.0 |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Gerber Ransomware 5.0.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Gerber Ransomware 5.0 – Distribution Methods
The primary methods which are used by this ransomware virus to help it spread are via e-mails that contain fake statements and spread attachments that aim to convince the victim to download an obfuscated payload, the main idea of which is to infect the victim PC in a silent manner.
One of those e-mails may appear like the image below:
Besides via e-mail, Gerber ransomware may also take advantage of fast-clicker and inexperienced users by uploading a file on a compromised website. This virus file may contain an exploit kit, which when downloaded is triggered and executes the payload of Gerber Ransomware 5.0 on the infected machine. The payload is downloaded onto the victim’s computer and automatically activated, while bypassing conventional antivurus protection.
The main exploit files, related to this malware may pretend to be:
- Software cracks.
- License activators.
- Portable programs.
- Other activation software.
Gerber Ransomware 5.0 – More Information
Once the ransomware has infected your computer, Gerber 5.0 drops it’s malicious file, called SashaSnider.exe in the following Windows directory:
The file then performs the following suspicious activities on the victim’s computer:
- Writes to a start menu file.
- Modifies files directly in Google Chrome’s extensions directory.
- Performs activities that may be read as data stealing actions.
- Creates a ransom note file, called GRBR Decryptor.
- Modifies the Windows Registry editor.
- Checks the cookies of Mozilla Firefox.
- Changes the wallpaper on the victim PC.
- May hide folders by writing data into the desktop.ini file.
When Gerber Ransomware 5.0 attacks your computer, the following Windows registry sub-keys may be modified:
→ HKEY_CURRENT_USER\Control Panel\Desktop
The virus also performs modifications of hundreds of files on the compromised machine, like reported on any.run’s automated analysis.
Furthermore, the ransomware virus also changes the wallpaper of the infected machine and also opens the GRBR decryptor ransom note automatically to notify the victim of what has happened:
Gerber Ransomware 5.0 -Encryption Process
For Gerber Ransomware 5.0 to encrypt the files on the computers, compromised by it, the virus may participate in different activities beforehand. One of those is to scan the files on the infected machine, while skipping important Windows, directories, such as:
Once scanned, Gerber Ransomware 5.0 encrypts files that are only important to the user and used very often, such as:
- Audio files.
- Virtual Drives.
- Flash drives.
The files are encrypted and they are appended a rather unique file extensions that has both uppercase and lowercase letters, like for example .MfDaC. Alongside this unique extension, a file suffix, called “.gerber5” is also added at the end of each file. The encrypted files usually look like the following image:
After the encryption of the files has completed, Gerber Ransomware 5.0 makes sure that the user sees the virus’s ransom note all the time.
Remove Gerber Ransomware 5.0 and Try Restoring .gerber5 Files
In order to remove Gerber Ransomware 5.0, we would advise you to first backup your data, since it will help you stay safe, just in case.
Then, for the actual removal, we have prepared instructions, which you can try using to remove Gerber Ransomware either manually or automatically. For maximum effectiveness, security professionals always recommend to remove Gerber Ransomware 5.0 with the aid of an advanced anti-malware software. This may ensure that all of the objects and files created by n your computer are detected and removed from it.
In addition to this, if you want to try and recover files, encrypted by Gerber Ransomware 5.0, we recommend that you follow the recovery instructions that are underneath this article. They have been created with the main purpose to help you recover as many .gerber5 files as possible, but bear in mind that these methods are not 100% guarantee of recovery.