What is Cerber?
Cerber is a ransomware-type malware that infiltrates systems, encrypting various file types including .jpg, .doc, .raw, .avi, etc. Cerber adds a .cerber (some variants add .cerber2 or .cerber3) extension to each encrypted file. Notice that some variants of this ransomware add random file extensions – for example: “.ba99”, ”.98a0“, “.a37b“, “.a563” etc. Following successful infiltration, Cerber demands a ransom payment to decrypt these files. It is stated that payment of the ransom must fall within the given time frame (seven days), otherwise the ransom amount will double. Some variants of this ransomware disclose their versions – for example: Cerber Ransomware 4.1.5″, “Cerber Ransomware 4.1.6”, “Cerber Ransomware 5.0.0” ( the latest variant demands a ransom of $499) etc.
During encryption, Cerber creates three different files (#DECRYPT MY FILES#.txt, #DECRYPT MY FILES#.html, and #DECRYPT MY FILES#.vbs) containing step-by-step payment instructions (never variants use only one file “_README_.hta“) in each folder containing the encrypted files. The message within these files states that users can only decrypt their files using a decryptor developed by cyber criminals (called ‘Cerber Decryptor’). The #DECRYPT MY FILES#.vbs file contains a VBScript, which when executed, plays the message, “Your documents, databases and other important files have been encrypted!” through the computer speakers. To download the decryptor, a ransom payment of 1.24 BitCoin (at time of research, equivalent to $546.72) is required. If the ransom is not paid within seven days, it doubles to 2.48 BTC. It is also stated that users can only pay using the Tor browser and by following instructions within the indicated website. Unfortunately, at time of research, there were no tools capable of decrypting files affected by Cerber. Therefore, the only solution to this problem is to restore your system from a backup.
After encrypting files, Cerber ransomware changes desktop wallpaper: