Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Updated Cerber Ransomware _README_{RAND}_.hta Remove and Restore Encrypted Files

cerber-ransomware-_readme_-hta-sensorstechforum-attention-encryption-2016The 1st of December marked the beginning of a new Cerber ransomware virus with several interesting changes. The ransomware again wants it’s victims to pay a hefty sum of 499$ to get back the files, which are encrypted via RSA-512 cipher in a RC4 encryption method. Cerber also goes back to it’s roots adding the old sound message, and adds a red ransom note accompanied by a sound message, just like the first version of Cerber did. In case you have been infected by this variant of the ransomware virus, we advise you read the following article to familiarize yourself with the virus, remove it and try to decrypt your files.

Threat Summary

NameCerber _README_{RAND}_.hta
TypeRansomware Virus
Short DescriptionThis Cerber _README_.hta ransomware variant encrypts files with the RSA-512 cipher and an RC4 encryption algorithm adding four randomly generated A-Z 0-9 characters(ex. .z33f) as a file extension to the encrypted files and asks a ransom payoff for decryption.
SymptomsFiles are enciphered and become inaccessible by any type of software. A ransom note with instructions for paying the ransom shows as a “_README_{random}.hta” file. Also adds the following audio message after encryption:
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks, Malicious Executable in Torrent Trackers.
Detection Tool See If Your System Has Been Affected by Cerber _README_{RAND}_.hta


Malware Removal Tool

User ExperienceJoin our forum to Discuss Cerber Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cerber _README_.hta December 2016 Variant – What Is New

Unlike the previous versions of Cerber which are with 3 digit versions (5.0.0, 5.0.1, 4.1.6, etc.), this version has a red wallpaper which it changes after the encryption and does not have a version, very similar to the first Cerber ransomware virus, which is also decryptable. The wallpaper it sets has the same message and leads to the very same Cerber Decryptor web page, asking 499$ but looks like the following:


This virus also uses the very same tactics the modern Cerber version use. It attacks computers via a phishing e-mail which aims to infect via an e-mail attachment, like the following example:

“Topic: Suspicious Bank Account Activity
Hello, we at your bank have been informed of a suspicious financial activity on your bank account. Please review the Document Number 3882-124442 from {date} for more information.
Best Regards
{Bank manager fake name}
{copied phone number}
{copied address of a bank office}”

What is new regarding how Cerber _README_.hta spreads are that it also takes advantage of the Tor network as well as Google to spread a malicious script that infects via a corrupt svchost32.exe fake process. This redirect via the Tor network proxies means that it is with higher difficulty to identify the infection hosts associated with the Cerber _README_.hta crypto virus.

Cerber _README_.hta – Activity After Infection

After infecting the user, not a lot is changed. Cerber ransomware begins to shut down the following system processes if they are active on the compromised computer:

→ bootsect.bak

But the malware does not stop there. The Cerber _README_.hta version also goes through a lot of troubles to shut down significant database processes to allow it to uninterruptedly encrypt databases:

→ msftesql.exe

If those processes are active, they will stop the virus from encrypting the databases, and this is the main reason they are shutdown in a force mode.

Regarding the file encryption, the Cerber _README_.hta iteration is focused on attacking even wider database of file extensions. Here are the file types that surely be encrypted on your computer if you have them there and become infected by this iteration:

→ ” .123″, ” .1cd”, “.3dm”, “.3ds”, “.3fr”, “.3g2”, “.3gp”, “.3pr”, “.602”, “.7z”, “.7zip”, “.aac”, “.ab4”, “.abd”, “.acc”, “.accdb”, “.accde”, “.accdr”, “.accdt”, “.ach”, “.acr”, “.act”, “.adb”, “.adp”, “.ads”, “.aes”, “.agdl”, “.ai”, “.aiff”, “.ait”, “.al”, “.aoi”, “.apj”, “.apk”, “.arc”, “.arw”, “.ascx”, “.asf”, “.asm”, “.asp”, “.aspx”, “.asset”, “.asx”, “.atb”, “.avi”, “.awg”, “.back”, “.backup”, “.backupdb”, “.bak”, “.bank”, “.bat”, “.bay”, “.bdb”, “.bgt”, “.bik”, “.bin”, “.bkp”, “.blend”, “.bmp”, “.bpw”, “.brd”, “.bsa”, “.bz2”, “.c”, “.cash”, “.cdb”, “.cdf”, “.cdr”, “.cdr3”, “.cdr4”, “.cdr5”, “.cdr6”, “.cdrw”, “.cdx”, “.ce1”, “.ce2”, “.cer”, “.cfg”, “.cfn”, “.cgm”, “.cib”, “.class”, “.cls”, “.cmd”, “.cmt”, “.config”, “.contact”, “.cpi”, “.cpp”, “.cr2”, “.craw”, “.crt”, “.crw”, “.cry”, “.cs”, “.csh”, “.csl”, “.csr”, “.css”, “.csv”, “.d3dbsp”, “.dac”, “.das”, “.dat”, “.db”, “.db3”, “.db_journal”, “.dbf”, “.dbx”, “.dc2”, “.dch”, “.dcr”, “.dcs”, “.ddd”, “.ddoc”, “.ddrw”, “.dds”, “.def”, “.der”, “.des”, “.design”, “.dgc”, “.dgn”, “.dif”, “.dip”, “.dit”, “.djv”, “.djvu”, “.dng”, “.doc”, “.docb”, “.docm”, “.docx”, “.dot”, “.dotm”, “.dotx”, “.drf”, “.drw”, “.dtd”, “.dwg”, “.dxb”, “.dxf”, “.dxg”, “.edb”, “.eml”, “.eps”, “.erbsql”, “.erf”, “.exf”, “.fdb”, “.ffd”, “.fff”, “.fh”, “.fhd”, “.fla”, “.flac”, “.flb”, “.flf”, “.flv”, “.forge”, “.fpx”, “.frm”, “.fxg”, “.gbr”, “.gho”, “.gif”, “.gpg”, “.gray”, “.grey”, “.groups”, “.gry”, “.gz”, “.h”, “.hbk”, “.hdd”, “.hpp”, “.html”, “.hwp”, “.ibank”, “.ibd”, “.ibz”, “.idx”, “.iif”, “.iiq”, “.incpas”, “.indd”, “.info”, “.info_”, “.iwi”, “.jar”, “.java”, “.jnt”, “.jpe”, “.jpeg”, “.jpg”, “.js”, “.json”, “.k2p”, “.kc2”, “.kdbx”, “.kdc”, “.key”, “.kpdx”, “.kwm”, “.laccdb”, “.lay”, “.lay6”, “.lbf”, “.lck”, “.ldf”, “.lit”, “.litemod”, “.litesql”, “.lock”, “.ltx”, “.lua”, “.m”, “.m2ts”, “.m3u”, “.m4a”, “.m4p”, “.m4u”, “.m4v”, “.ma”, “.mab”, “.map “.max”, “.mbx”, “.md”, “.mdb”, “.mdc”, “.mdf”, “.mef”, “.mfw”, “.mid”, “.mkv”, “.mlb”, “.mml”, “.mmw”, “.mny”, “.money”, “.moneywell”, “.mos”, “.mov”, “.mp3”, “.mp4”, “.mpeg”, “.mpg”, “.mrw”, “.ms11”, “.msf”, “.msg”, “.mts”, “.myd”, “.myi”, “.nd”, “.ndd”, “.ndf”, “.nef”, “.nk2”, “.nop”, “.nrw”, “.ns2”, “.ns3”, “.ns4”, “.nsd”, “.nsf”, “.nsg”, “.nsh”, “.nvram”, “.nwb”, “.nx2”, “.nxl”, “.nyf”, “.oab”, “.obj”, “.odb”, “.odc”, “.odf”, “.odg”, “.odm”, “.odp”, “.ods”, “.odt”, “.ogg”, “.oil”, “.omg”, “.one”, “.onenotec2”, “.orf”, “.ost”, “.otg”, “.oth”, “.otp”, “.ots”, “.ott”, “.p12”, “.p7b”, “.p7c”, “.pab”, “.pages”, “.paq”, “.pas”, “.pat”, “.pbf”, “.pcd”, “.pct”, “.pdb”, “.pdd”, “.pdf”, “.pef”, “.pem”, “.pfx”, “.php”, “.pif”, “.pl”, “.plc”, “.plus_muhd”, “.pm”, “.pm!”, “.pmi”, “.pmj”, “.pml”, “.pmm”, “.pmo”, “.pmr”, “.pnc”, “.pnd”, “.png”, “.pnx”, “.pot”, “.potm”, “.potx”, “.ppam”, “.pps”, “.ppsm”, “.ppsx”, “.ppt”, “.pptm”, “.pptx”, “.prf”, “.private”, “.ps”, “.psafe3”, “.psd”, “.pspimage”, “.pst”, “.ptx”, “.pub”, “.pwm”, “.py”, “.qba”, “.qbb”, “.qbm”, “.qbr”, “.qbw”, “.qbx”, “.qby”, “.qcow”, “.qcow2”, “.qed”, “.qtb”, “.r3d”, “.raf”, “.rar”, “.rat”, “.raw”, “.rb”, “.rdb”, “.re4”, “.rm”, “.rtf”, “.rvt”, “.rw2”, “.rwl”, “.rwz”, “.s3db”, “.safe”, “.sas7bdat”, “.sav”, “.save”, “.say”, “.sch”, “.sd0”, “.sda”, “.sdb”, “.sdf”, “.secret”, “.sh”, “.sldm”, “.sldx”, “.slk”, “.slm”, “.sql”, “.sqlite”, “.sqlite-shm”, “.sqlite-wal”, “.sqlite3”, “.sqlitedb”, “.sr2”, “.srb”, “.srf”, “.srs”, “.srt”, “.srw”, “.st4”, “.st5”, “.st6”, “.st7”, “.st8”, “.stc”, “.std”, “.sti”, “.stl”, “.stm”, “.stw”, “.stx”, “.svg”, “.swf”, “.sxc”, “.sxd”, “.sxg”, “.sxi”, “.sxm”, “.sxw”, “.tar”, “.tax”, “.tbb”, “.tbk”, “.tbn”, “.tex”, “.tga”, “.tgz”, “.thm”, “.tif”, “.tiff”, “.tlg”, “.tlx”, “.txt”, “.uop”, “.uot”, “.upk”, “.usr”, “.vb”, “.vbox”, “.vbs”, “.vdi”, “.vhd”, “.vhdx”, “.vmdk”, “.vmsd”, “.vmx”, “.vmxf”, “.vob”, “.vpd”, “.vsd”, “.wab”, “.wad”, “.wallet”, “.war”, “.wav”, “.wb2”, “.wk1”, “.wks”, “.wma”, “.wmf”, “.wmv”, “.wpd”, “.wps”, “.x11”, “.x3f”, “.xis”, “.xla”, “.xlam”, “.xlc”, “.xlk”, “.xlm”, “.xlr”, “.xls”, “.xlsb”, “.xlsm”, “.xlsx”, “.xlt”, “.xltm”, “.xltx”, “.xlw”, “.xml”, “.xps”, “.xxx”, “.ycbcra” “.yuv”, “.zip”

To encrypt those files the _README_.hta version of Cerber uses 5 blocks of code in the files which are encrypted, not the whole files. Those blocks are encrypted via the RC4 encryption method which generates a unique key the size of 256 bits. In addition to this, the ransomware also uses the cipher RSA (Rivest Shamir Adleman) algorithm with a strength of 512 bit to further increase encryption of the files. This encryption then generates a unique RSA key which may either be stored on the victim’s computer or be sent via POST traffic via port 6482 on the TCP and UDP protocols to IP addresses,, So far, it has not been established whether or not the sent information is encrypted, but this is likely the case.

Similar to other versions of Cerber, this one may also change the names of the encrypted files and render them useless. The files may appear like the following and completely non-recognizable:


After the encryption process is complete, Cerber changes the wallpaper to the new one and in addition to this adds a _README_.hta type of file with 4 random digits, similar to a unique ID for this specific infection. The file may look like the following:


Both the wallpaper and the _README_.hta file have a unique web-link which is Tor-based and focused on leading the victim to the genuine Cerber web page, demanding the user to pay approximately 500 dollars and giving a deadline with a countdown timer:


Cerber _README_.hta is also very careful when it comes to encrypting folder. The ransomware goes as far as whitelisting folders which it does not encrypt to keep the operating system in a working state:

→ \\documents and settings\\all users\\documents\\
\\microsoft sql server\\
\\the bat!\\

December 2016 Cerber Ransomware – Conclusion, Removal and File Restoration Tips

In case you happen to become an unfortunate victim of this iteration of Cerber ransomware, recommendations are not to focus on paying the ransom. This is not a guarantee your files will be gotten back to you, and furthermore, you support criminal entities in developing Cerber _README_.hta further as well as infecting more users. Instead, we advise following the below-mentioned instructions to remove the virus. In case you are having trouble in manually removing Cerber from your computer, advices are to do it automatically with an advanced anti-malware program which will take care of this threat for you swiftly and remove all of its objects created in various Windows folders and Windows Registry Edior as well.

After removing Cerber _README_.hta, we urge you to immediately create several copies of all the encrypted files that are important for you. Then, you can use one of those copies to try the traditional Cerber decryption instructions from this web link.

They are not for this version of Cerber and may not work, but you are welcome to attempt them and the alternative file restoration methods from step “2. Restore Files Encrypted by Cerber _README_.hta” below. They are also not 100% to succeed, but with the “Deep Scan” features of one of them, there is a chance you will restore some of your files if you haven’t reformatted your hard drive.

Manually delete Cerber _README_{RAND}_.hta from your computer

Note! Substantial notification about the Cerber _README_{RAND}_.hta threat: Manual removal of Cerber _README_{RAND}_.hta requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Cerber _README_{RAND}_.hta files and objects
2.Find malicious files created by Cerber _README_{RAND}_.hta on your PC

Automatically remove Cerber _README_{RAND}_.hta by downloading an advanced anti-malware program

1. Remove Cerber _README_{RAND}_.hta with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Cerber _README_{RAND}_.hta

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.