The Cerber ransom-spree continues with Cerber 4.1.5. similar to the older 4.X versions, Cerber ransomware uses an extension of four random characters for encrypted files. There are about half a dozen Cerer variants floating around the Internet. The virus demands payment of around one BitCoin for the decryption of locked files. The virus is dangerous, but it can still be removed. You can get rid of Cerber ransomware virus with the help of this article.
Manual Removal Guide
Recover Encrypted Files
Skip all steps and download anti-malware tool that will safely scan and clean your PC.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
Cerber 4.1.5 Ransomware Spam – How Does The Virus Spread?
Email spam is the main method of distribution in the Cerber ransomware family. Cerber 4.1.5 is no exception. The virus is spread through emails containing malicious attachments, most often ZIP files that hide infectious documents.
These documents, often word files will look like official Microsoft manuals. They’ll ask the victim to enable macros which will start the infection. The emails themselves may be masked to look like automated responses from a bot.
Cerber Ransomware Campaign Details
In October 2016 malware researchers uncovered an attack bearing the Cerber 4.1.5 ransomware virus via the RIG Exploit Kit. The attack was of interest to the security experts as it allowed the security researchers to see how infections are made in live attacks. This particular incident was using three separate iterations of the exploit kit:
Rig-v – A customized version of the Rig Exploit Kit with new URL patterns, new landing page obfuscation mechanism and RC4 encoding of the payload. This has been used in the Afraidgate and pseudoDarkleech campaigns so far. Some experts name this as a “VIP” version of the dangerous software.
RIG-E – A variant of the RIG Exploit Kit that uses the old URL patterns and the same payload obfuscation techniques and landing page structure. This is also known as the “Empire Pack”.
RIG Standard – A standard version like RIG-E that uses new URL patterns.
The virus was spread through a compromised web site that distributed the RIG Exploit kit. The campaign featured the following malware hosts:
joellipman.com – Compromised site
109.234.35.232 port 80 – new.vividsydney.live – RIG-v
65.55.50.0 – 65.55.50.31 (65.55.50.0/27) port 6892 – UDP traffic caused by Cerber
192.42.118.0 – 192.42.118.31 (192.42.118.0/27)port 6892 – UDP traffic caused by Cerber
194.165.16.0 – 194.165.19.255 (194.165.16.0/22) port 6892 – UDP traffic caused by Cerber
104.238.215.11 port 80 – lfdachijzuwx4bc4.p7k7t4.top – HTTP traffic caused by Cerber
In the end of May 2017 hackers behind the nasty Cerber ransomware virus started to employ new complex attack method. An executable file distributed via a massive malvertising operation named RoughTed infects hosts with Cerber ransomware virus infection. The operation is reported to be extremely severe as it employs various attack techniques and targets users’ browsers and operating systems. Furthermore, threat actors are leveraging fingerprinting and ad-blocker bypassing techniques. It is Magnitude exploit kit that is used to drop a Cerber payload. Once the malicious executable file detected as b.exe lands on the system, it sends a request for a connection with predefined URL address. In response, another payload is downloaded. It exploits the vulnerability CVE-2015-2426 that could be used for a Windows local privilege escalation and remote control over the affected system.
Protection against Cerber ransomware virus
You can protect your system from the Cerber ransomware family by following these simple guidelines:
Can I Remove Cerber Ransomware Virus?
The removal of Cerber 4.1.5 can be somewhat tricky for the average user. It requires tempering with the Windows’s settings and processes. This can be dangerous, as Cerber ransomware is very dangerous virus. A small mistake can lead to loss of encrypted data. That’s why it’s better to leave the deletion process to a professionally developed anti-malware tool which can remove the virus. Additionally, the anti-malware tool will protect your PC from malware threats in the future.
Remove Cerber Ransomware Virus and Restore Data
WARNING! Manual removal of Cerber ransomware virus requires being familiar with system files and registries. Removing important data accidentally can lead to permanent system damage. If you don’t feel comfortable with manual instructions, download a powerful anti-malware tool that will scan your system for malware and clean it safely for you.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
Cerber Ransomware Virus – Manual Removal Steps
Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently. The steps bellow are applicable to all Windows versions.
1. Hit the WIN Key + R
2. A Run window will appear. In it, write msconfig and then press Enter
3. A Configuration box shall appear. In it Choose the tab named Boot
4. Mark Safe Boot option and then go to Network under it to tick it too
5. Apply -> OK
Show Hidden Files
Some ransomware threats are designed to hide their malicious files in the Windows so all files stored on the system should be visible.
1. Open My Computer/This PC
2. Windows 7
- – Click on Organize button
– Select Folder and search options
– Select the View tab
– Go under Hidden files and folders and mark Show hidden files and folders option
3. Windows 8/ 10
- – Open View tab
– Mark Hidden items option
4. Click Apply and then OK button
Enter Windows Task Manager and Stop Malicious Processes
1. Hit the following key combination: CTRL+SHIFT+ESC
2. Get over to Processes
3. When you find suspicious process right click on it and select Open File Location
4. Go back to Task Manager and end the malicious process. Right click on it again and choose End Process
5. Next, you should go folder where the malicious file is located and delete it
Repair Windows Registry
1. Again type simultaneously the WIN Key + R key combination
2. In the box, write regedit and hit Enter
3. Type the CTRL+ F and then write the malicious name in the search type field to locate the malicious executable
4. In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys
Click for more information about Windows Registry and further repair help
Recover Encrypted Files
WARNING! All files and objects associated with Cerber ransomware virus should be removed from the infected PC before any data recovery attempts. Otherwise the virus may encrypt restored files. Furthermore, a backup of all encrypted files stored on external media is highly recommendable.
DOWNLOAD Cerber Removal ToolSpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
1. Use present backups
2. Use professional data recovery software
Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.
3. Using System Restore Point
- – Hit WIN Key
– Select “Open System Restore” and follow the steps
4. Restore your personal files using File History
- – Hit WIN Key
– Type restore your files in the search box
– Select Restore your files with File History
– Choose a folder or type the name of the file in the search bar
– Hit the “Restore” button
