The Cerber ransomware is distributed via spam email containing infected attachments or links to malicious websites. Cyber-criminals spam out an email, with forged header information, tricking you into believing that it is from a shipping company like DHL or FedEx. The email tells you that they tried to deliver a package to you, but failed for some reason. Sometimes the emails claim to be notifications of a shipment you have made. Either way, you can’t resist being curious as to what the email is referring to – and open the attached file (or click on a link embedded inside the email). And with that, your computer is infected with the Cerber virus.
The Cerber ransomware targets all versions of Windows including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10. This infection is notable due to how it encrypts the user’s files – namely, it uses AES-265 and RSA encryption method – in order to ensure that the affected user has no choice but to purchase the private key.
When the Cerber ransomware is first installed on your computer it will create a random named executable in the %AppData% or %LocalAppData% folder. This executable will be launched and begin to scan all the drive letters on your computer for data files to encrypt.
Cerber ransomware searches for files with certain file extensions to encrypt. The files it encrypts include important productivity documents and files such as .doc, .docx, .xls, .pdf, among others. When these files are detected, this infection will change the extension to .Cerber, so they are no longer able to be opened.
Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:
.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
How can identify Ransomware infected in PC /LAPTOP / SERVER
Below is a list of ransom note files.
- _HELP_instructions.html
- _how_recover.txt
- _Locky_recover_instructions.txt
- About_Files.txt
- Coin.Locker.txt _secret_code.txt
- DECRYPT_INSTRUCTION.TXT
- de_crypt_readme.bmp
- de_crypt_readme.txt
- de_crypt_readme.html
- DECRYPT_ReadMe.TXT
- DecryptAllFiles.txt
- DECRYPT_INSTRUCTIONS.TXT
- DecryptAllFiles.txt
- encryptor_raas_readme_liesmich.txt
- FILESAREGONE.TXT
- help_decrypt_your_files.html
- HELP_TO_SAVE_FILES.txt
- Help_Decrypt.txt
- HELP_RECOVER_FILES.txt
- help_recover_instructions+[randoms].txt
- HELP_RESTORE_FILES.txt
- HELP_TO_DECRYPT_YOUR_FILES.txt
- HELP_TO_SAVE_FILES.txt
- HELP_YOUR_FILES.TXT
- HELLOTHERE.TXT
- HELPDECRYPT.TXT
- howto_recover_file.txt
- Howto_Restore_FILES.TXT
- HowtoRestore_FILES.txt
- IAMREADYTOPAY.TXT
- IHAVEYOURSECRET.KEY
- SECRET.KEY
- SECRETIDHERE.KEY
- YOUR_FILES.HTML
- YOUR_FILES.url
This is a partial list of files, and it may not be completely up to date. If you believe that you have a ransomware-infected file, do not open it. Call us or send us an email to discuss your next steps toward safe recovery.
Do not rename original file . please keep as it is original so we can decrypt all your important files
Once your files are encrypted, the Cerber ransomware will create the #DECRYPT MY FILES#.txt text files ransom note in each folder that a file has been encrypted and on the Windows desktop. The ransomware will also change your Windows desktop wallpaper to #DECRYPT MY FILES#.png.
These files are located in every folder that a file was encrypted as well as in the user’s Startup folder so that they are automatically displayed when a user logs in. These files will contain the informations on how to access the payment site and get your files back.
When the infection has finished scanning your computer it will also delete all of the Shadow Volume Copies that are on the affected computer. It does this so that you cannot use the shadow volume copies to restore your encrypted files.
If your computer is infected with the Cerber ransomware will display a red #DECRYPT MY FILES#.png wallpaper that covers the entire desktop, and all your documents will have a .Cerber extension. A #DECRYPT MY FILES#.txt text file will be placed on your desktop. Both files contain instruction on how or recover the encrypted files.
The messages displayed by this ransomware infection can be localized depending on the user’s location, with text written in the appropriate language.
This the message that the Cerber ransomware may display:
Cerber
Your documents, photos, databases and other important files have been encrypted!
To decrypt your files follow the instructions:
—————————————————————————————
1. Download and install the “Tor Browser”; from https://www.torproject.org/
2. Run it
3. In the “Tor Browser”; open website:
http://decrypttozxybarc.onion/[removed]
4. Follow the instructions at this website
Cerber is notable due to how it encrypts the user’s files – namely, it uses AES-265 and RSA encryption method – in order to ensure that the affected user has no choice but to purchase the private key. The RSA public key can only be decrypted with its corresponding private key. Since the AES key is hidden using RSA encryption and the RSA private key is not available, decrypting the files is not feasible as of this writing.
Brute forcing the decryption key is not realistic due to the length of time required to break an AES encryption key.
So unfortunately, once the Cerber encryption of the data is complete, decryption is not feasible without paying the ransom on Decryption Service site.
Because the needed private key to unlock the encrypted file is only available through the cyber criminals, victims may be tempted to purchase it and pay the exorbitant fee. However, doing so may encourage these bad guys to continue and even expand their operations. We strongly suggest that you do not send any money to these cyber criminals, and instead address to the law enforcement agency in your country to report this attack.
