Gerber Ransomware 5.0 (.gerber5) - How to Remove It

Gerber Ransomware 5.0 (.gerber5) – How to Remove It

This blog post has been created with the main idea of explaining what is the Gerber 5 ransomware virus and howto remove it plus how to try and restore .gerber5 encrypted files.

Yet another version of Gerber ransomware has been detected in the wild, following it’s predecessor Gerber Ransomware version 1. The virus is very close to another notorious ransom virus, called

Malware researchers have recently detected the notorious Cerber ransomware to reach a new milestone, now calling itself 5.0.0. The new Cerber ransomware is distributed by the updated RIG-V exploit kit, which is regarded as a premium exploit using software for...Read more
Cerber Ransomware 5.0. The main purpose of these viruses is to encrypt the files on the computers that are compromised by them and then add their own file extenson, which in this case is .gerber5 to extort victims to pay ransom in BitCoin or other cryptocurrencies in order to be able to use the files on the infected machine once again. If your computer has been infected by Gerber Ransomware 5.0, we recommend that you read the article underneath.

Threat Summary

NameGerber Ransomware 5.0
TypeRansomware, Cryptovirus
Short DescriptionA variant of Gerber Ransomware. Encyrpts files and holds them hostage until the victim pays ransom.
SymptomsFiles end in the .gerber5 file suffix. The wallpaper is changed to Gerber 5’s custom one. A ransom note, called GRBR Decryptor is added and automatically opens with the extortion message.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Gerber Ransomware 5.0


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Gerber Ransomware 5.0.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Gerber Ransomware 5.0 – Distribution Methods

The primary methods which are used by this ransomware virus to help it spread are via e-mails that contain fake statements and spread attachments that aim to convince the victim to download an obfuscated payload, the main idea of which is to infect the victim PC in a silent manner.

One of those e-mails may appear like the image below:

Besides via e-mail, Gerber ransomware may also take advantage of fast-clicker and inexperienced users by uploading a file on a compromised website. This virus file may contain an exploit kit, which when downloaded is triggered and executes the payload of Gerber Ransomware 5.0 on the infected machine. The payload is downloaded onto the victim’s computer and automatically activated, while bypassing conventional antivurus protection.

The main exploit files, related to this malware may pretend to be:

  • Software cracks.
  • License activators.
  • Setups.
  • Portable programs.
  • Keygens.
  • Other activation software.

Gerber Ransomware 5.0 – More Information

Once the ransomware has infected your computer, Gerber 5.0 drops it’s malicious file, called SashaSnider.exe in the following Windows directory:

→ C:\Users\admin\Desktop\SashaSnider.exe

The file then performs the following suspicious activities on the victim’s computer:

  • Writes to a start menu file.
  • Modifies files directly in Google Chrome’s extensions directory.
  • Performs activities that may be read as data stealing actions.
  • Creates a ransom note file, called GRBR Decryptor.
  • Modifies the Windows Registry editor.
  • Checks the cookies of Mozilla Firefox.
  • Changes the wallpaper on the victim PC.
  • May hide folders by writing data into the desktop.ini file.

When Gerber Ransomware 5.0 attacks your computer, the following Windows registry sub-keys may be modified:

→ HKEY_CURRENT_USER\Control Panel\Desktop
Name: Wallpaper
HKEY_CURRENT_USER\Control Panel\Desktop
Name: TileWallpaper
Value: 0

The virus also performs modifications of hundreds of files on the compromised machine, like reported on’s automated analysis.

Furthermore, the ransomware virus also changes the wallpaper of the infected machine and also opens the GRBR decryptor ransom note automatically to notify the victim of what has happened:

Gerber Ransomware 5.0 -Encryption Process

For Gerber Ransomware 5.0 to encrypt the files on the computers, compromised by it, the virus may participate in different activities beforehand. One of those is to scan the files on the infected machine, while skipping important Windows, directories, such as:

  • %Windows%
  • %System32%
  • %Temp%
  • %Local%
  • %AppData%

Once scanned, Gerber Ransomware 5.0 encrypts files that are only important to the user and used very often, such as:

  • Documents.
  • Images.
  • Videos.
  • Pictures.
  • Audio files.
  • Archives.
  • Databases.
  • Virtual Drives.
  • Flash drives.

The files are encrypted and they are appended a rather unique file extensions that has both uppercase and lowercase letters, like for example .MfDaC. Alongside this unique extension, a file suffix, called “.gerber5” is also added at the end of each file. The encrypted files usually look like the following image:

After the encryption of the files has completed, Gerber Ransomware 5.0 makes sure that the user sees the virus’s ransom note all the time.

Remove Gerber Ransomware 5.0 and Try Restoring .gerber5 Files

In order to remove Gerber Ransomware 5.0, we would advise you to first backup your data, since it will help you stay safe, just in case.

Then, for the actual removal, we have prepared instructions, which you can try using to remove Gerber Ransomware either manually or automatically. For maximum effectiveness, security professionals always recommend to remove Gerber Ransomware 5.0 with the aid of an advanced anti-malware software. This may ensure that all of the objects and files created by n your computer are detected and removed from it.

In addition to this, if you want to try and recover files, encrypted by Gerber Ransomware 5.0, we recommend that you follow the recovery instructions that are underneath this article. They have been created with the main purpose to help you recover as many .gerber5 files as possible, but bear in mind that these methods are not 100% guarantee of recovery.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share