Remove Red CERBER Ransomware’s (Update August 2017)

Remove Red CERBER Ransomware’s 2017 Update

This article aims to look into CERBER 2017 ransomware and show you how to remove it from your computer and try to get encrypted files back.

The notorious CERBER ransomware has just received its first major update since 2017 and is now using “_HELP_DECRYPT_{RANDOM}.hta” in addition to the older “_{RANDOM}_README_.hta” file. Even though the new version does not show it, the update was incremental and the virus has changed the way it spreads and some elements in post-infection activity as well. Keep reading in order to learn more about what the new variant of the virus has in stock for future victims of this year.

Threat Summary

NameCERBER
TypeRansomware Virus
Short DescriptionThis Cerber ransomware variant encrypts files with the RSA-512 cipher and an RC4 encryption algorithm adding four randomly generated A-Z 0-9 characters(ex. .z33f) as a file extension to the encrypted files and asks a ransom payoff for decryption.
SymptomsFiles are enciphered and become inaccessible by any type of software. A ransom note with instructions for paying the ransom shows as a _{random}_README_.hta,_HELP_DECRYPT_{RANDOM}.hta or _HELP_HELP_HELP_{RANDOM}.hta files. Also adds the following audio message after encryption:
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks, Malicious Executable in Torrent Trackers.
Detection Tool See If Your System Has Been Affected by CERBER

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Cerber Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

2017 CERBER Ransomware – Update August 2017

On the 2nd of August, a new malware spreading campaign has been discovered – one involving the Magnitude Exploit Kit. The EK delivers this Red variant of Cerber ransomware, by first extracting a payload file. Magnitude EK exploits a vulnerability in Flash, and then uses port 80 for communicating with URLs and domains associated with the malware.

Update March 2017 – Red CERBER ransomware now in a new variant. Uses the _READ_THIS_FILE_{random}.hta ,.jpg and .txt files. Read more about the latest CERBER virus here: Red CERBER 2017 Virus (_READ_THIS_FILE_ Update) – Restore Files

CERBER ransomware keeps spreading this variant of it across the world with minimal changes. In June 2017 the ransom note is now named “_R_E_A_D___T_H_I_S_[random]_.txt” and its first line is “Hi, I’am CERBER RANSOMWARE 🙂“. The wallpaper reatains the red coloring and style of the original RED CERBER. Files are encrypted with random extensions and their names also have random symbols replacing the original name. Other than that, no other changes seem to be implemented and the encryption process remains as strong as ever.

2017 CERBER Ransomware’s Distribution

For the new ransomware variant of CERBER to be widespread, the virus uses a powerful combination of the:

  • Nemucod downloader.
  • RIG-V exploit kit.

To successfully infect users with the payload, the distribution strategy to spread the malicious file has also changed. Now, CERBER has been detected in a .js dropper file which causes infection by inserting malicious javascript file concealed in what appears to be a fake document with a random name, for example:

  • DOC442392930-PDF_23ruf39.js

The file may be in a .zip or a .rar archive and accompanied to it may be various e-mail messages that aim to convince the unsuspecting user to open the file. One of the examples spotted in association with CERBER ransomware is the following malicious e-mail sent to a victim:

After the user opens the malicious attachment, CERBER gets down to business and begins to download one of the following malicious files detected at infosec:

  • 1.exe with 3e4798c2b808b7dbad7f80b397dc97df
  • 124.exe with 9c73dfc02bf01fc1da8efc349d23646b
  • read.php?f=0.dat with d958463bf73128114b59c3f9a65bfc19
  • 4DUi5.exe with 794a556c1a98f70673a5ba3ed791382f
  • user.php?f=1.dat with 8abc023a9ebb7188881fabb747b4f68d

After those files have been downloaded onto the user’s computer, the ransomware virus begins to prepare to encrypt files. To do this, the virus performs series of activities:

  • Drops files that resemble clean files.
  • Reads the trust settings on Windows.
  • Scans for names and processes and creates new processes.
  • Drops multiple files (one of each – .bmp, .js, .jpg, .hta, .svg, .dll, .tmp files)
  • Modifies wscript.exe to modify files in %System32% and %Microsoft Directories%. Amongst the modified files are – rsaenh.dll, WScript.exe, WScript.exe.mui, sortdefault.nls, wshom.ocx, stdole2.tlb, KERNELBASE.dll.mui, msxml3.dll

Interestingly enough, CERBER ransomware is updated so that it won’t delete the shadow volume copies of the infected computer, so in case you have set up file history, you can use the shadow volume copy method from the instructions below to restore your files.

After encryption of the files, the situation is rather the same, like with the previously updated Red CERBER Ransomware variant.

The virus also drops the very same ransom note it usually uses:

It also drops it’s original .hta file which has the same message, no changes there.

2017 CERBER Ransomware – The Bottom Line and How to Remove

In conclusion, CERBER has become a little less dangerous, since it no longer deletes shadow volume copies, but the virus has been configured to infect even more users, by using a harder to detect Nemucod downloader and the latest RIG-V exploit kit. On top of that CERBER ransomware still uses the same strong encryption combination. However, not paying the ransom and removing the virus is still advisable.

If you want to remove CERBER Ransomware completely, but you do not like paying the ransom to cyber-criminals, please see the removal tutorial below. It is designed to help you scan for and delete the virus fully, plus it offers several file restoration alternatives that might save your files concerning this virus.

Manually delete CERBER from your computer

Note! Substantial notification about the CERBER threat: Manual removal of CERBER requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove CERBER files and objects
2.Find malicious files created by CERBER on your PC

Automatically remove CERBER by downloading an advanced anti-malware program

1. Remove CERBER with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by CERBER
Update July 2017 – Red CERBER ransomware now in a new variant, calling itself CRBR ENCRYPTOR. Uses the “_R_E_A_D___T_H_I_S___{RANDOM}_” ,.jpg and .txt files. Read more about the latest CERBER virus here: CRBR ENCRYPTOR Ransomware Virus – Remove and Restore Files

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

3 Comments

  1. vikas jain

    Hi,

    How can I recover my cerber 3 infected files. Need guidance.

    Reply
    1. SensorsTechForumSensorsTechForum

      Hello vikas,

      Unfortunately, there is no official decrypter for this version of Cerber. The only version of the ransomware that can be decrypter is the original one. Instructions here: http://sensorstechforum.com/decrypt-encrypted-files-cerber-ransomware/

      As for your files, you can try and restore them with the help of data recovery software.

      Reply
      1. Danilo

        infected by red cerber.
        Extensions file changed in .8eee
        Any kind of news for decrypt?
        Thanks
        Danilo

        Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.