How to remove Cerber Ransomware and decrypt .cerber files

What is Cerber Ransomware?

Cerber ransomware virus was introduced not so long ago, but it already managed to create a lot of trouble to its victims. What is remarkable, the ransomware disregards the systems located in one of the following countries: Azerbaijan, Armenia, Georgia, Belarus, Kyrgyzstan, Kazakhstan, Moldova, Turkmenistan, Tajikistan, Russia, Uzbekistan, Ukraine. If the ransomware ends on a computer with one of these locations, it eliminates itself, otherwise Cerber adds its process on the startup list, so it would remind a user of the threat presence with every reboot. On the background the ransomware will look for and encrypt your files with AES code, after which it will show a generated error message and reboot the machine. In the end users are informed about hijacking of the data and the amount of payment they need to transfer.

Cerber Ransomware

More precisely, Cerber Ransomware offers to install TOR browser and gives an address, where you need to pay 1.25 BitCoins which amounts to about $500 in exchange of a download link to a unique decryptor. Unfortunately, for now there is no free way to retrieve your files, nevertheless we do not encourage you to pay the ransom, as there are no guarantees that cybercriminals will deliver on their promises.

What to do if your PC is infected with Cerber Ransomware

As soon as you notice the presence of the ransomware on your system, you should turn your computer off. If it is possible try to create a backup or image of your hard drive info. This may let you to reserve the state of your drives in case a decryption method would be created afterwards.

How Cerber Ransomware got installed on your computer

The methods of cerber Ransomware spreading are not revealed yet, but it was cleared that the threat is available as a service on a Russian illegal forum, so other cybercriminals can join to spread it for a fee. Among other possible ways there are spam messages, so you shouldn’t open messages that look dubious, and, of course, you shouldn’t download their attachments.

Symptoms of Cerber Ransomware infection

It’s difficult not to notice ransomware, since it often has one of the processes responsible for displaying a notification message. This window blocks the screen leaving the user minimum alternatives. Besides, some files will be inaccessible, as in many cases ransomware encrypts them to exasperate the scaring effect.


How to remove Cerber Ransomware?

To make sure that the adware won’t reappear, you need to delete Cerber Ransomware completely. For this you need to remove the files and registry entries of the ransomware. We should warn you that performing some of the steps may require above-average skills, so if you don’t feel experienced enough, you may apply to automatic removal tool.
Download SpyHunter

Performing an antimalware scan with Norton would automatically search out and delete all elements related to Cerber Ransomware Ransomware. It is not only the easiest way to eliminate Cerber Ransomware Ransomware, but also the safest and the most assuring one.


Steps of Cerber Ransomware manual removal

Restart Windows in Safe Mode

For Windows 7, 8, XP and Vista:

  1. Restart the system
  2. While computer is rebooting press F8 several times
  3. In the appeared list of options choose Safe Mode

For Windows 10:

  1. In the Start menu click on the power button
  2. Hold Shift and choose Restart
  3. Choose Troubleshoot
  4. In the Advanced Options choose Startup Settings
  5. Click Restart
  6. Select Enter Safe Mode With Networking

Delete files and registry entries added by Cerber Ransomware

Now you will be able to reach the needed functions and files. For eliminating the ransomware activity, you need to find all of the following items and delete them.

Remove Cerber Ransomware files and folders:

%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe

Remove Cerber Ransomware registry entries:

HKCU\Control Panel\Desktop\SCRNSAVE.EXE "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"
HKCU\Software\Microsoft\Command Processor\AutoRun "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\[random] "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"

Restore the files encrypted by Cerber Ransomware

Use the decrypting tool

Unfortunately, currently the tool able to decrypt the files infected by Cerber Ransomware is not released yet. You may try applying to the methods described below, however, they might not work with the latest versions of Cerber virus.

Restore the system

  1. Initiate the search for ‘system restore’
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

If the above-mentioned methods didn’t help in eliminating the threat, then it’s better to rely on an automatic way of deleting Cerber ransomware.

Download SpyHunter

We also recommend to download and use Norton to scan the system after %THREAT% removal to make sure that it is completely gone. The antimalware application will detect any vicious components left among system files and registry entries that can recover Cerber ransomware.

Leave a Reply

Your email address will not be published. Required fields are marked *