X3M Cerber Decryptor Virus Restore _x3m _r90j and _locked Files - How to, Technology and PC Security Forum | SensorsTechForum.com

X3M Cerber Decryptor Virus Restore _x3m _r90j and _locked Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article aims to help you remove X3M Cerber Decryptor ransomware from your computer and restore files, encrypted with _x3m _r9oj or _locked file extensions.

A ransomware virus discovered in the beginning of January has been reported to use AES encryption algorithm to render the files on the computers it infects no longer openable. The virus aims to perform numerous activities on the victim’s computer, amongst which are to leave a ransom note and modify different components of it, to make it run on system startup. Despite that X3M ransomware demands “Cerber Decryptor”, the virus may have nothing to do with the original Cerber ransomware. The malware also demands 700 dollars payment to restore encrypted files, which is highly inadvisable. Instead we advise you to read the following article and learn how to remove X3M Cerber Decryptor virus and try to restore your files.

Threat Summary



Short DescriptionThis virus imitates Cerber Ransomware and encrypts the files with an AES encryption algorithm to demand 700 dollars for decryption.
SymptomsChanged wallpaper to a ransom note. Advertises <> and <>.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by X3M


Malware Removal Tool

User ExperienceJoin our forum to Discuss X3M.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How X3M Cerber Decryptor Infects

Similar to other ransomware viruses, such as the original Cerber ransomware, this virus uses quite the combination of tools and tricks up it’s sleeve that aim to ensure successful infection. One of those tools is software that ensures open ports on which to spam a given message and hence use it to deliver, extract and upload various shells. Another tool ensures fake database of web mails and e-mail accounts that have been tested before against spam defenses and filters. Furthermore, cyber-criminals may also use a pre-defined web list of victim accounts that are to be spammed. Usually more attractive are enterprise accounts because of the value of information in them. The cyber-criminals also have servers from which they control the infections and numerous pre-written phishing e-mails that make it look like they were send from legitimate services such as:

  • PayPal.
  • FedEx.
  • Newegg.
  • Skype.
  • AliBaba.
  • AliExpress.
  • UPS.
  • DHL.
  • Macys.
  • Apple.
  • Overstock.
  • Skrill.
  • CraigsList.
  • Wallmart.

Those e-mails usually have an e-mail attachment that may either be a JavaScript, HTML Microsoft Office and Adobe documents. The documents may infect when the user clicks on a “Enable Content” button which causes an infection with malicious macros.

X3M Cerber Decryptor Virus – Post-Infection Activity

After the user becomes infected, the infection malware may connect to the server of the cyber-criminals and download different types of executable modules in various Windows key directories, such as:

After the files are downloaded, the X3M Cerber Decryptor ransomware may modify the Run and RunOnce registry entries in Windows to set the location of the malicious file that encrypts data. It will also make sure to modify the registry value of the Wallpaper.

To encrypt files, the X3M Cerber Decryptor threat uses an AES (Advanced Encryption Standard) cipher, which alters bits of those files’ code into symbols from the encryption cipher. After this, the virus may add one of the following file extensions – _x3m, _r9oj, _locked. The encrypted files may appear like the following:

After encryption, researcher at id-ransowmare.blogspot.bg reports that the virus changes the wallpaper with the following note to the victim, in order to make it’s presence known:

Your documents, photos, databases and other important files have been encrypted! To decrypt your files you need to buy the special software – «Cerber decryptor»
Data recovery requires decoder.
To obtain decryptor, please, contact me by email: server-support@india.com
The cost of the decoder: ~700 USD
Payment only Bitcoin.
Your personal identification ID: id-2650322560
Your documents, photos, databases and other important files have been encrypted! To decrypt your files you need to buy the special software – «x3m decryptor»
To obtain decryptor, please, contact me by email: deyscriptors1@india.com
Your personal identification ID:”

There is also a backup e-mail used by one of the variants of this virus in the note and It is server-support@india.com.

Remove X3M Cerber Decryptor Virus and Restore the Files

In conclusion this is a Cerber ransomware copycat, most likely a low-quality one. Nonetheless, in case you have been infected by this virus, there are numerous options for you to do, instead of choosing to pay 700 dollars to the crooks who made it.

First, malware researchers recommend removing X3M Cerber Decryptor immediately from your computer. This will create a safe environment if you want to try and restore the file. For the removal, we suggest to follow the instructions below. In case you lack experience in removing ransomware, experts also advise to use an advanced anti-malware program which will ensure automatic detection and removal of X3M.

After removing the malware, advices are to follow the instructions in step “2.Restore files encrypted by X3M” below. They include multiple methods to restore the files, some of which may damage them , if the virus has a CBC-mode enabled. This is why, we advise you to backup the encrypted files before begging to employ those tools.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share