Ransomware: Cerber


20161005-cerber-1-125x100Berikut ini beberapa artikel terkait Cerber Ransomware yang dikutip dari beberapa sumber, mudah-mudahan dapat membantu bagi yang terkena ransomware tersebut:

 

  • vaksin.com | Cerber 3: Ransomware yang sadar marketing
  • bleepingcomputer.com | Cerber Ransomware switches to a Random Extension and Ends Database Processes
  • pcrisk.com | Cerber ransomware removal instructions
  • bleepingcomputer.com | Cerber Ransomware switches to .CERBER3 Extension for Encrypted Files
  • bugsfighter.com | How to remove Cerber3 ransomware and decrypt .cerber3 files
  • keonesoftware | Cerber3 ransomware removal: how to decrypt .cerber3 virus files
  • malwarefixes.com |  Remove Cerber3 Ransomware and Decrypt Files
  • bleepingcomputer.com | Check Point releases working Decryptor for the Cerber Ransomware

# Alfons Tanujaya | vaksin.com | 5 Oktober2016

Cerber 3: Ransomware yang sadar marketing

20161005-cerber-1-125x100Cerber atau Cerberus adalah makhluk mitologi Yunani kuno yang digambarkan sebagai makhluk yang memiliki 3 kepala anjing dengan ekor ular berbisa yang bertugas menjaga pintu neraka yang dihuni oleh Hades dan arwah-arwah yang ditempatkan di neraka. Mungkin pembuat ransomware cerber ini ingin merepresentasikan diri mereka dengan kebuasan cerber sehingga korbannya bertekuk lutut dan membayar uang tebusan yang dipakai. Namun kelakuan Cerber yang sangat cepat berganti varian dan saat artikel ini di tulis sudah mencapai versi Cerber 3 lebih mengingatkan penulis pada tahun 1980-an dimana saat itu ada Cergam Cerita Bergambar dan Cerber Cerita Bersambung yang digandrungi remaja pada masanya. Kurang berhasil dengan cerber 1 dan 2 karena berhasil enkripsinya dieksploitasi oleh Checkpoint, pembuat Cerber ini langsung memperbaiki celah keamanan yang di eksploitasi oleh Checkpoint dan mengeluarkan Cerber 3. Kabar buruknya, Cerber 3 ini sampai saat ini belum bisa dipecahkan dan data yang dienkripsi oleh Cerber 3 tidak bisa di dekirpsi tanpa membayar ransomware yang diminta.

 

Dibandingkan dengan ransowmare lain, Cerber memiliki satu kelebihan yang tidak dimiliki ransomware lain, dimana ia menyebarkan dirinya menggunakan metode SaaS Software as a Services atau lebih tepatnya RaaS Ransomware as a Services. Mengadopsi perkembangan sistem penjualan piranti lunak terbaru yang dijual sebagai layanan berlangganan dan bukan beli putus. Namun, karena hal yang dilakukan melanggar hukum dan menyusahkan orang banyak karena menyandera data orang lain dan meminta tebusan untuk mengembalikan data tersebut maka banyak langkah pengamanan yang dilakukan oleh kriminal pembuat Cerber ini dalam menjalankan aksinya dengan tujuan utama menghindari penangkapan oleh pihak berwajib.

 

Teknik penyebaran
Meskipun memiliki kemampuan menyebar melalui website, penyebaran melalui email masih tetap menjadi metode favorit Cerber. Hal ini disinyalir karena tingkat pembayaran uang tebusan dari korban yang terinfeksi melalui email lebih tinggi dari korban yang terinfeksi melalui website. Kemungkinan karena penerima email kebanyakan memang menggunakan komputer untuk tujuan bisnis sehingga secara finansial cukup mampu membayar tebusan yang diminta untuk mendapatkan kembali datanya. Metode penyebaran yang digunakan tidak berbeda dengan ransomware lain di tahun 2016 ini dimana ia akan datang dalam lampiran baik docm, rtf dan file terkompres. Perkembangan terakhir yang dipantau Vaksincom, ransomware juga mulai memanfaatkan ekstensi .xls yang sebenarnya adalah file XML yang jika dijalankan akan mengunduh ransomware dan menginstal dirinya di komputer korbannya.

 

Cerdiknya, lampiran yang dikirimkan sama sekali tidak mengandung file ransomware itu sendiri dan hanya berisi script untuk mengunduh file sehingga jika terdeteksi sekalipun oleh program antivirus tidak akan terlalu membantu mencegah infeksi malware karena pembuat Cerber hanya perlu merubah sedikit script dan kembali tidak terdeteksi. Lalu teknik berikut yang melapangkan aksi ransomware ini adalah penggunaan exploit kit. Hebatnya lagi, Cerber menggunakan 3 jenis exploit kit yang bisa berbeda-beda di setiap negara : Magnitude, Neutrino dan Rig. Untuk kasus infeksi di Indonesia exploit kit yang digunakan adalah Neutrino.

 

Sebagai informasi, exploit kit adalah program yang mencari celah keamanan suatu sistem dan jika ia berhasil mendapatkan celah keamanan sitem tersebut, ia akan langsung menjalankan aksinya mengeksploitasi sistem tersebut dengan menjalankan malware. Dalam banyak kasus, sistem yang memiliki celah keamanan dan belum di patch (tambal) akan bisa terinfeksi oleh malware “sekalipun” sistem tersebut sudah diproteksi oleh program antivirus yang terupdate. Karena itu sangat penting bagi para pengguna komputer untuk memastikan sistem komputernya selalu terupdate dan tidak memiliki celah keamanan. Celah keamanan bisa terkandung dalam Sistem Operasi seperti Microsoft Windows maupun aplikasi pendukung seperti Microsoft Office, Adobe Acrobat, Adobe Flash pada peramban dan program lainnya.

 

Dari kasus ini bisa kita simpulkan bahwa OS teranyar yang masih di support oleh Microsft saja seperti Windows 7, Windows 8 dan Windows 10 bisa terinfeksi oleh ransomware jika tidak melakukan patch, apalagi OS yang sudah tidak di support seperti Windows XP. Karena jika ditemukan celah keamanan pada Windows XP dan Microsoft sudah tidak memberikan tambalan / patch karena sudah tidak di support, maka resiko infeksi ransomware di Windows XP sangat tinggi.

 

Satu hal yang cukup membuat khawatir adalah kemampuan yang tersimpan pada kode Cerber yang menunggu diaktifkan dimana ia mampu mencari open share dari komputer yang di infeksinya di jaringan dan sekaligus membuka akses ke seluruh open share di jaringan, sekalipun pengguna komputer yang di infeksinya tidak pernah melakukan akses ke open share tersebut. Karena itu sangat penting bari para pengguna komputer di dalan jaringan untuk selalu membackup data pribadinya yang dishare ke jaringan intranet karena rentan dienkripsi oleh ransomware dari komputer lain.

 

RaaS Ransomware as a Services
Cerber mengaplikasikan SaaS Software as a Services dengan baik. Sebagai gambaran SaaS adalah trend teranyar dalam dunia piranti lunak yang memanfaatkan teknologi cloud dimana jika selama ini sistem penjualan piranti lunak dijual putus namun dengan keterbatasan seperti jika terjadi pergantian versi harus membeli kembali. Dengan sistem SaaS ini piranti lunak dijual sebagai layanan dimana konsumen membayar biaya sewa piranti lunak per periode (eg : bulanan) dan mereka berhak menggunakan piranti lunak terbaru tanpa perlu membeli lagi. Sebagai contoh SaaS adalah Microsoft Office 360 yang berbayar atau Google Docs yang dapat dinikmati secara gratis.

 

Banyak manfaat dari layanan cloud ini dimaksimalkan oleh Cerber dalam menyebarkan dirinya. Salah satu hambatan dalam penyebaran malware (ransomware) adalah hambatan kurangnya pengetahuan, pengalaman dan akses ke jaringan infrastruktur yang handal, rumit dan aman untuk menyebarkan ransomware. Padahal secara bisnis ransomware ini sangat menguntungkan, dibuat satu kali tetapi bisa mendapatkan keuntungan berkali-kali. Selama ini hanya programmer berpengalaman saja yang mampu menikmati keuntungan besar dari menyebarkan ransomware. Dengan Cerber, programmer pemula sekalipun dengan mudah berhubungan dengan pembuat ransomware ini pada forum rahasia / underground. Dengan hanya modal uang dalam jumlah kecil, programmer pemula ini akan mendapatkan varian ransomware yang tidak terdeteksi dan ia juga mendapatkan menu tatap muka yang mudah digunakan. Sebagai catatan, Cerber memiliki 161 afiliasi yang menjalankan aksinya dan berhasil menginfeksi 150.000 korban dengan keuntungan sekitar Rp. 2,5 milyar pada hanya bulan Juli 2016. Sistem pembagian hasil yang dilakukan Cerber juga cukup murah hati sehingga mudah mendapatkan afiliasi dimana pihak penyebar mendapatkan persentase keuntungan yang lebih besar dari pembuat Cerber ini sendiri. Namun jika digabungkan penghasilan dari seluruh afiliasi, pembuat Cerber ini mendapatkan nominal keuntungan terbesar.

 

Bypass UAC dan mendeteksi VM Virtual Machine
Cerber juga memiliki kemampuan melewati pengamanan UAC User Account Control Windows yang bertugas mencegah instalasi piranti lunak jahat. Lebih hebatnya lagi, Cerber mampu mendeteksi Virtual Machine seperti Hypervisor, Virtual Box, Parallels, Qemu, VMWare dan Wine. Adapun teknik yang digunakan beragam seperti deteksi system artifacts, deteksi sistem sertifikat aplikasi virtualisasi dan registri komputer. Tujuan mendeteksi VM adalah untuk mempersulit ahli sekuriti menjalankan dirinya pada lingkungan virtual dan menganalisa aksinya.

 

Sadar Marketing
Beda dengan beberapa ransomware lain, sekalipun melakukan tindak kriminal, pembuat Cerber kelihatannya juga menerapkan ilmu pemasaran. Hal ini terlihat dari aksinya yang secara aktif memberikan layanan bagi korbannya dan mempermudah korbannya membayar uang tebusan seperti :
  • Multi Bahasa. Komunikasi permintaan uang tebusan ditampilkan dalam 12 bahasa. Selain Bahasa Inggris, permintaan tebusan juga ditampilkan secara profesional dalam bahasa Jerman, Spanyol, Perancis, China, Jepang, Portugis, Polandia, Italia, Turki, Arab dan Belanda. (lihat gambar 1)
20161005-cerber-2-838x733

Gambar 1, Permintaan tebusan dalam 12 bahasa

  • Berusaha mendapatkan kepercayaan konsumen dengan memberikan bukti bahwa mereka memiliki kunci dekripsi.
    Tentunya korbannya ragu, apakah pembuat Cerber ini benar memiliki kunci privat (privat key) untuk dekripsi datanya. Karena itu pembuat Cerber ini memberikan layanan Gratis dekripsi 1 buah file [Decrypt 1 file for FREE]. Hal ini untuk memberikan bukti kepada korbannya bahwa mereka memiliki kunci dekripsi dan jika korbannya melakukan pembayaran, mereka berjanji mengirimkan kunci tersebut. (lihat gambar 2)
  • Memberikan layanan support dengan menyediakan layanan tanya jawab. (lihat gambar 2). Dengan tidak tahu malunya, sekalipun sudah jelas-jelas mereka yang melakukan enkripsi, ibarat perusahaan piranti lunak legal, pembuat Cerber ini tanpa malu-malu memberikan layanan support bagi korbannya. Andai pembuat Cerber ini bergerak di jalan yang benar, hal ini tentunya merupakan satu hal yang membanggakan.
20161005-cerber-3-882x268

Gambar 2, Cerber memberikan layanan dekripsi gratis 1 file dan layanan support

Source:

 

#Lawrence Abrams | bleepingcomputer.com | October 4, 2016

Cerber Ransomware switches to a Random Extension and Ends Database Processes

Late last week, a new version of Cerber Ransomware was released that included some new features. The most notable change is the switch from the static .Cerber3 extension for encrypted files to a random 4 character extension, the use of a HTA file as the ransom note, and the termination of various database processes before encryption.

With this version, when a victim’s files are encrypted, not only will the filename be scrambled, but the extension will be replaced as well.  This means that a file that was previously encrypted as 5NgPiSr5zo.cerber3, would now be encrypted to a name like 1xQHJgozZM.b71c.

This version also includes a new ransom note called README.hta. When launched, the ransom note will appear in an application Window and display the normal ransom note. An example of the README.hta file can be found below.

readme_hta

Readme.hta File

According to security researcher BloodDolly, this update also includes the addition of new database processes that are closed by the close_process directive in Cerber’s configuration.  This directive tells Cerber to terminate certain processes before encryption begins. The directive and the current list of processes being terminated are:

 "close_process":
 {
  "close_process":1,
  "process":["msftesql.exe","sqlagent.exe","sqlbrowser.exe","sqlservr.exe","sqlwriter.exe","oracle.exe","ocssd.exe","dbsnmp.exe","synctime.exe","mydesktopqos.exe","agntsvc.exeisqlplussvc.exe","xfssvccon.exe","mydesktopservice.exe","ocautoupds.exe","agntsvc.exeagntsvc.exe","agntsvc.exeencsvc.exe","firefoxconfig.exe","tbirdconfig.exe","ocomm.exe","mysqld.exe","mysqld-nt.exe","mysqld-opt.exe","dbeng50.exe","sqbcoreservice.exe"]
 },

These processes are closed in order to enable the processes’s data files to be encrypted. If the processes are running during encryption, then the corresponding data files may not be accessible for encryption by Cerber.

Finally, this version of Cerber Ransomware continues to send UDP packets to the 31.184.234.0/23 range for statistical purposes.

udp-packets

UDP Packetsa

Source:

 

#Tomas Meskauskas | pcrisk.com | 23 August 2016

Cerber ransomware removal instructions

What is Cerber?

Cerber is a ransomware-type malware that infiltrates systems, encrypting various file types including .jpg, .doc, .raw, .avi, etc. Cerber adds a .cerber (some variants add .cerber2 or .cerber3) extension to each encrypted file. Notice that some variants of this ransomware add random file extensions – for example: “.ba99”, ”.98a0“, “.a37b“, “.a563” etc. Following successful infiltration, Cerber demands a ransom payment to decrypt these files. It is stated that payment of the ransom must fall within the given time frame (seven days), otherwise the ransom amount will double.

During encryption, Cerber creates three different files (#DECRYPT MY FILES#.txt, #DECRYPT MY FILES#.html, and#DECRYPT MY FILES#.vbs) containing step-by-step payment instructions in each folder containing the encrypted files. The message within these files states that users can only decrypt their files using a decryptor developed by cyber criminals (called ‘Cerber Decryptor’). The #DECRYPT MY FILES#.vbs file contains a VBScript, which when executed, plays the message, “Your documents, databases and other important files have been encrypted!” through the computer speakers. To download the decryptor, a ransom payment of 1.24 BitCoin (at time of research, equivalent to $546.72) is required. If the ransom is not paid within seven days, it doubles to 2.48 BTC. It is also stated that users can only pay using the Tor browser and by following instructions within the indicated website. Unfortunately, at time of research, there were no tools capable of decrypting files affected by Cerber. Therefore, the only solution to this problem is to restore your system from a backup.

After encrypting files, Cerber ransomware changes desktop wallpaper:

updated-cerber-variant

Victims of Cerber ransomware can use a decrypter called “Trend Micro Ransomware File Decryptor tool” to decrypt their files for free. Download is HERE. (Unfortunately this tool is no longer available) You can view a video tutorial of how to use this tool HERE. Here’s a screenshot of this tool:

trend-micro-ransomware-file-decryptor

Update 17 August 2016 – Check Point Software Technologies Ltd. company has released a decrypter for Cerber ransomware. At the time of testing it was able to decrypt files with .cerber and .cerber2 extensions. To decrypt their files victims should visit THIS website and follow the simple 7 steps to decrypt their files for free. Unfortunately cyber criminals have updated their ransomware and this tool no longer works. Here’s a screenshot of Cerber Ransomware Dceryption Tool website:

cerber-ransomware-decryptor-website

Text presented on the wallpaper of Cerber ransomware:

You documents, photos, databases and other important files have been encrypted!
If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page.

A screenshot of Cerber ransomware website (used to provide victims with ransom payment instructions, provide support, etc.):

cerber-website-homepage

Text presented in the homepage of Cerber ransomware:

Your documents, photos, databases and other important files have been encrypted! To decrypt your files you need to buy the special software – «Cerber Decryptor». All transactions should be performed via Bitcoin network only. Within 5 days you can purchase this product at a special price:  0.750 (≈ $518). After 5 days the price of this product will increase up to:  1.500 (≈ $1036).

As with other crypto ransomware, Cerber shares many similarities with many other malware infections such as Locky,CryptoWall, CTB-Locker, Crypt0L0cker, and TeslaCrypt. All have identical behavior – they encrypt files and encourage users to pay a ransom to decrypt them. The only difference between these viruses is the algorithm used to encrypt the files and size of ransom. Be aware that there is no guarantee that your files will ever be decrypted even after paying the ransom. Paying is equivalent to sending your money for cyber criminals – you merely support their malicious businesses. Therefore, never pay the ransom and do not attempt to contact these people. Malware such as Cerber is mostly proliferated via malicious e-mail attachments, peer-to-peer (P2P) networks (for example, Torrent), fake software updates, and trojans. Be cautious when opening attachments from unrecognized emails and ensure that your chosen files are downloaded from trusted sources. Furthermore, keep all installed software up-to-date and use a legitimate anti-virus or anti-spyware suite.

Screenshot of README.hta file (updated variant of Cerber ransomware now uses this file to open it’s ransom demanding website):

cerber-hta-file

Cerber website FAQ:

cerber-website-faq

Question: How can i decrypt my files after payment?
Answer: After payment, you can download the «Cerber Decryptor» from your personal page. We guarantee that all your files will be decrypted!
Question: My files was infected more then month ago, can i still decrypt it with your software?
Answer: Yes, you can still decrypt your files after the payment!

Cerber website Support:

cerber-website-support

In case of any problems with payment or having any other questions, please contact us via the contact form.

Cerber website “Decrypt 1 files for Free”:

cerber-website-decrypt-1-file-free

We give you the opportunity to decipher 1 file free of charge! You can make sure that the service really works and after payment for the «Cerber Decryptor» program you can actually decrypt the files!

Cerber ransomware distributed via spam e-mail attachments (using infected .WSF and .DOC files):

cerber-distributing-email

Cerber ransomware is delivered by a rogue document attached to spam emails. Once users open the document, they are encouraged to enable malicious macros – the ransomware then starts to encrypt victims’ data:

cerber-malicious-macro

Screenshot of a folder that was compromised by Cerber ransomware (all files are renamed and have a .cerberextension):

cerber-ransomware-folder

After infiltrating the victim’s computer, Cerber ransomware targets files with these extensions:

.gif, .groups, .hdd, .hpp, .log, .m2ts, .m4p, .mkv, .mpeg, .ndf, .nvram, .ogg, .ost, .pab, .pdb, .pif, .png, .qed, .qcow, .qcow2, .rvt, .st7, .stm, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .3fr, .3pr, .ab4, .accde, .accdr, .accdt, .ach, .acr, .adb, .ads, .agdl, .ait, .apj, .asm, .awg, .back, .backup, .backupdb, .bay, .bdb, .bgt, .bik, .bpw, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .ce1, .ce2, .cib, .craw, .crw, .csh, .csl, .db_journal, .dc2, .dcs, .ddoc, .ddrw, .der, .des, .dgc, .djvu, .dng, .drf, .dxg, .eml, .erbsql, .erf, .exf, .ffd, .fh, .fhd, .gray, .grey, .gry, .hbk, .ibd, .ibz, .iiq, .incpas, .jpe, .kc2, .kdbx, .kdc, .kpdx, .lua, .mdc, .mef, .mfw, .mmw, .mny, .mrw, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nwb, .nx2, .nxl, .nyf, .odb, .odf, .odg, .odm, .orf, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pdd, .pem, .plus_muhd, .plc, .pot, .pptx, .psafe3, .py, .qba, .qbr, .qbw, .qbx, .qby, .raf, .rat, .raw, .rdb, .rwl, .rwz, .s3db, .sd0, .sda, .sdf, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srw, .st5, .st8, .std, .sti, .stw, .stx, .sxd, .sxg, .sxi, .sxm, .tex, .wallet, .wb2, .wpd, .x11, .x3f, .xis, .ycbcra, .yuv, .contact, .dbx, .doc, .docx, .jnt, .jpg, .msg, .oab, .ods, .pdf, .pps, .ppsm, .ppt, .pptm, .prf, .pst, .rar, .rtf, .txt, .wab, .xls, .xlsx, .xml, .zip, .1cd, .3ds, .3g2, .3gp, .7z, .7zip, .accdb, .aoi, .asf, .asp, .aspx, .asx, .avi, .bak, .cer, .cfg, .class, .config, .css, .csv, .db, .dds, .dwg, .dxf, .flf, .flv, .html, .idx, .js, .key, .kwm, .laccdb, .ldf, .lit, .m3u, .mbx, .md, .mdf, .mid, .mlb, .mov, .mp3, .mp4, .mpg, .obj, .odt, .pages, .php, .psd, .pwm, .rm, .safe, .sav, .save, .sql, .srt, .swf, .thm, .vob, .wav, .wma, .wmv, .xlsb,3dm, .aac, .ai, .arw, .c, .cdr, .cls, .cpi, .cpp, .cs, .db3, .docm, .dot, .dotm, .dotx, .drw, .dxb, .eps, .fla, .flac, .fxg, .java, .m, .m4v, .max, .mdb, .pcd, .pct, .pl, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .ps, .r3d, .rw2, .sldm, .sldx, .svg, .tga, .wps, .xla, .xlam, .xlm, .xlr, .xlsm, .xlt, .xltm, .xltx, .xlw, .act, .adp, .al, .bkp, .blend, .cdf, .cdx, .cgm, .cr2, .crt, .dac, .dbf, .dcr, .ddd, .design, .dtd, .fdb, .fff, .fpx, .h, .iif, .indd, .jpeg, .mos, .nd, .nsd, .nsf, .nsg, .nsh, .odc, .odp, .oil, .pas, .pat, .pef, .pfx, .ptx, .qbb, .qbm, .sas7bdat, .say, .st4, .st6, .stc, .sxc, .sxw, .tlg, .wad, .xlk, .aiff, .bin, .bmp, .cmt, .dat, .dit, .edb, .flvv

Screenshot of #DECRYPT MY FILES#.html file:

cerber-ransomware-decrypt-my-files-html

Screenshot of #DECRYPT MY FILES#.txt file:

cerber-decrypt-my-files-txt-file-updated

Cerber Decryptor download instructions:

How to get ?
1. Create a Bitcoin Wallet (we recommend Blockchain.info)
2. Buy necessary amount of Bitcoins
Do not forget about the transaction commission in the Bitcoin network (0.0005 BTC).
3. Send 1.24 Bitcoins to the following Bitcoin address: –
4. Control the amount transaction at he panel below.
5. Get a link and download the software.

Text presented in #DECRYPT MY FILES#.txt file:

CERBER

Cannot your find the files you need? Is the content of the files that you looked for not readable? It is normal because the files’ names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware.

#############################################################

!!! If you are reading this message it means the software
!!! “Cerber Ransomware” has been removed from your computer.

#############################################################

What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorised users. To become an authorised user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case “Cerber Decryptor” software) for safe and complete decryption of all your files and data.

#############################################################

Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the “Cerber Ransomware” software; the instructions (“#DECRYPT MY FILES #.html” and “# DECRYPT MY FILES #.txt”) in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the “Cerber Ransomware” where they find a lot of ideas, recommendation and instructions. It is necessary to realise that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.

!!! Any attempts to get back you files with the third-party tools can
!!! be fatal for your encrypted files.

The most part of the tried-party software change data with the encrypted files to restore it but this cases damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place – the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realise that any intervention of the third-party software to restore files encrypted with the “Cerber Ransomware” software may be fatal for your files.

#############################################################

!!! There are several plain steps to restore your files but if you do
!!! not follow them we will not be able to help you, and we will not try
!!!since you have read this warning already.

#############################################################

For you information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to:

1. decrypt all you files;
2. work with your documents;
3. view you photos and other media;

#############################################################

What should you do with these addresses? If you read the instructions in TXT format (if you have instructions in HTML (the file with an icon of you Internet browser) then the easiest way is to run it): 1. take a look at the first address 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select “Copy” in the appeared menu; 5. run you Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button “Insert” in the appeared menu; 9. then you will see the address appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the post about working with the addresses in the HTML instructions.

#############################################################

Additional information: You will find the instructions for restoring your files in those folders where you have encrypted files only. The instructions are made in two file formats – HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.

#############################################################

Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place.

#############################################################

If you look through this text in the Internet and realise that something is wrong with your files but you do not have any instructions to restore your files, please contact your antivirus support.

#############################################################

Remember that the worst situation already happened and not it depends on your determination and speed of you actions the further life of your files.

Cerber ransomware removal: remove .cerber virus

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

safe-mode-with-networking

Windows 8 users: Start Windows 8 is Safe Mode with Networking – Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened “General PC Settings” window, select Advanced startup. Click the “Restart now” button. Your computer will now restart into the “Advanced Startup options menu”. Click the “Troubleshoot” button, and then click the “Advanced options” button. In the advanced option screen, click “Startup settings”. Click the “Restart” button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

windows8-safe-mode-with-networking

Step 2

Log in to the account infected with the Cerber virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected. Download pb-remover

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. We are affiliated with anti-virus and anti-spyware software listed on this site. All the products we recommend were carefully tested and approved by our technicians as being one of the most effective solutions for removing this threat.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

safe-mode-with-command-prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER

system-restore-1

3. Next, type this line: rstrui.exe and press ENTER.

system-restore-2

4. In the opened window, click “Next”.

system-restore-3

5. Select one of the available Restore Points and click “Next” (this will restore your computer system to an earlier time and date, prior to the Cerber ransomware virus infiltrating your PC).

system-restore-4

6. In the opened window, click “Yes”.

system-restore-6

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Cerber ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Cerber are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the “Restore” button.

cryptorbit-restore-files

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Cerber, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow-explorer-screenshot

To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and EasySync CryptoMonitor, which artificially implant group policy objects into the registry to block rogue programs such as Cerber ransomware.)

HitmanPro.Alert CryptoGuard – detects encryption of files and neutralises any attempts without need for user intervention:

hitmanproalert-ransomware-prevention1

EasySync CryptoMonitor – kills an encryption infection and blacklists it from running again:

cryptomonitor-ransomware-prevention2

Other tools known to remove Cerber ransomware:

Source:

 

# Lawrence Abrams | bleepingcomputer.com| August 31, 2016

Cerber Ransomware switches to .CERBER3 Extension for Encrypted Files

A new version of the Cerber Ransomware has been discovered by AVG security researcher Jakub Kroustek that switches from the .CERBER2 extension to .CERBER3 for encrypted files.  When I tested this new sample, there was some minor outward differences between this version and the previous version.

The most notable difference is that this new version will now append the .CERBER3 extension to encrypted files. This is shown in the sample pictures folder shown below.

Taken from BleepingComputer.com

Encrypted Files

Another notable difference is that this version has changed the ransom note names to # HELP DECRYPT #.html, # HELP DECRYPT #.txt, and # HELP DECRYPT #.url.

This version of  Cerber continues to use the 31.184.234.0/23 range of IP addresses for stats purposes. Strangely, when testing this version I did not see the typical UDP flood for stats purposes. I did see ICMP packets being sent to IP addresses in this range

Update  8/31/16: I updated the article about the stats ranges.

As this version is further analyzed, more information may become available. When this happens, I will be sure to update this article.

Source:

 

#James Kramer | bugsfighter.com | September 15, 2016

How to remove Cerber3 ransomware and decrypt .cerber3 files

What is Cerber3

Cerber3 ransomware is new version of notorious Cerber virus that infected hundreds of thousands computers. It uses the same algorithms to infect computer and encrypt user files. Now it appends .cerber3 to those files. Names of the files are changed to random 10 character sequence. Among other differences between Cerber3 and it predecessor are new ransomware note files (@__README__@.html,@__README__@.txt and @__README__@.url instead of #DECRYPT MY FILES#.txt,#DECRYPT MY FILES#.html, #DECRYPT MY FILES#.vbs). Text and html files contain identical instructions to pay the ransom, .url file opens Cerber3 website. Amount of ransom is less, than before – 0.7154 Bitcoin, but it doubles to 1.4308 if not paid in 5 days. We monitor all available resources for possible decryptors available, staying in contact with antivirus companies. Below you can find updated information on how to remove newest Cerber3 ransomware and decrypt .cerber3 files.

cerber3-ransomware

cerber3-files

How Cerber3 infected your PC

Cerber3 virus developers still use spam e-mails with malicious attachments for distribution. Usually short message offers to download archive with some document. This document contains built-in macros, that runs in the background when user opens the document. This macros downloads executable file of the virus and runs it. Since that moment Cerber3 starts encrypting your files. Antivirus may not catch this threat and we recommend you to use HitmanPro with Cryptoguard. This program can detect encryption process and stop it to prevent the loss of your files.

cerber-decryptor

Download Cerber3 Removal Tool: bugsfighter removal tool

To remove Cerber3 completely we recommend you to use SpyHunter from EnigmaSoftware Group LLC. It detects and removes all files, folders and registry keys of Cerber3.

Alternative remover: malwarebytes

As a good free alternative to remove Cerber3 use Malwarebytes Anti-Malware. It will detect core files and processes of Cerber3 ransomware and eliminate them to allow you start decryption of your files.

How to remove Cerber3 manually

It is not recommended to remove Cerber3 manually, for safer solution use Removal Tools instead.

Cerber3 files:


@__README__@.html
@__README__@.txt
@__README__@.url

Cerber3 reg keys:

no information

How to decrypt and restore .cerber3 files

trendmicro-ransomware-file-decryptor

Use following tool from Trend Micro called Trend Micro Ransomware File Decryptor, that can decrypt files encrypted by Cerber3. Download it here: Trendmicro-RansomwareFileDecryptor_201.0.1627_MUI.zip

There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

If you are infected with Cerber3 ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. However, there is currently no automatic decryption tool for .Cerber3 files. To attempt to remove them you can do the following:

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restorebutton.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there is other dates in the list choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses like Cerber3 in future

Use Malwarebytes Anti-Ransomware Beta: https://youtu.be/WOkUhGlXnRg

Famous anti-malware vendor Malwarebytes along with EasySync Solutions created tool that will help you with active anti-ransomware protection as additional shield to your current protection. Tools: malwarebytes-anti-ransomware-beta

Use HitmanPro.Alert with CryptoGuard: https://youtu.be/5M8YYnXIAlw

Dutch vendor of legendary cloud-based scanner HitmanPro – Surfright released active antivirus solution HitmanPro.Alert with CryptoGuard feature that effectively protects from latest versions of cryptoviruses. Tools: cleverbridge.com-cryptoguard

Source:

 

#keonesoftware.com

Cerber3 ransomware removal: how to decrypt .cerber3 virus files

Cerber3, the latest variant of a widespread defiant ransomware that plays an audio warning message to its victims, has started using the .cerber3 extension.

The file-encrypting threat generically dubbed Cerber has been invariably offbeat since it emerged. Its makers pioneered in utilizing .vbs files to literally pronounce their ransom demands via the infested PC’s speakers. While this feature has been preserved in the newest version of this infection, there are several noteworthy differences. First of all, the newcomer appends the .cerber3 extension to one’s personal files and jumbles filenames beyond recognition. For example, it transforms the name of a random document to a bizarre entry similar to uM87p3n3x6.cerber3. The files that contain steps to reinstate these messed up objects have also been modified. Now their names are # HELP DECRYPT #.html, # HELP DECRYPT #.url, and # HELP DECRYPT #.txt. A victim won’t find it hard to locate these ransom notes – they are created on the desktop and within all directories with ciphered data.

desktop-wallpaper-set-by-cerber3

Desktop wallpaper set by Cerber3 virus

Just like its forerunners, Cerber3 is being deposited on computer systems by means of contagious email attachments or exploit kits. In the former case, a user receives an email with catchy contents and an enclosed JS file in a ZIP archive. Once you open the attached document, the ransomware gets inside undetected. When an exploit kit is in play, vulnerabilities in software that’s out of date are harnessed to inject the malicious loader. Regardless of the installation mode, the Trojan’s activity on a PC goes a uniform route across all incidents. It starts by running a scan for personal files stored on the local and removable drives as well as mapped and unmapped network shares.

cerber3-encrypted-files

Ransom notes and encrypted .cerber3 files in a folder

The totality of data detected during the scan is subject to lightning-fast encoding. The Advanced Encryption Standard (AES) is the instrument that the perpetrators are banking on in this regard. This symmetric cryptosystem, if implemented the right way, is an insurmountable obstacle to recovery. Having completed the data encryption and filename scrambling part of its mission, Cerber3 generates a sinister audio alert, sets a new desktop background with some basic warning text, and drops the above-mentioned combo of # HELP DECRYPT # ransom instructions. From these documents, the victim will learn that they have to navigate to a Tor (The Onion Router) gateway. The Cerber Decryptor landing page provides the infected user with their personal restoration details, including the size of the ransom and the amount of time left before the fee will double. The original ransom valid during the first 5 days is 0.7154 BTC, or about $400. If the deadline condition isn’t met, it goes up to 1.4308 BTC.

Cerber3 ransomware attack is a tough-to-handle predicament. There is no free decryptor available for this strain. If paying up to the threat actors is an unacceptable option, be sure to try the tips below that reflect some potentially helpful forensic techniques.

Automatic removal of Cerber3 virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the ransomware gets found and eradicated from the affected computer.

  1. Download and install the cleaning tool and click the Start Computer Scan button: download cerber3 removal
  2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get the ransom trojan automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover files ciphered by Cerber3 ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools
The research of Cerber3 virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try. Tool: Data Recovery Pro

Option 3: Shadow Copies
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

  • Previous Versions feature
    Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.

previous-versions

  • Shadow Explorer applet
    It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.

shadowexplorer

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup. Tool: Cerber3 Ransomeware Scanner and Remover

Source:

 

#Chona Esjay | malwarefixes.com | September 1, 2016

Remove Cerber3 Ransomware and Decrypt Files

Cerber3 ransomware is a hazardous computer virus that is obviously part of Cerber family of malware. Just like old versions, this virus was made to encrypt various files on the computer leaving it inaccessible. Cerber3 uses complex encryption algorithm, which is very hard to decode. In fact, this new version patches the exploit uses by certain decryption tool such as from Trend Micro and CheckPoint.

Typically, Cerber3 enters the computer via another malware. It tries to exploit certain vulnerabilities on the computer and use it to gain access on the computer. It arrives in various forms but was seen lately to be utilizing mass emailing to spread quickly.

Once Cerber3 is executed, it looks for target files and encrypts them. Compromised files are appended with.cerber3 extension. In order to regain access to this file, the virus will demand user to pay 1.24 Bitcoins or approximately $700 at the current exchange rate.

As typical ransom virus, Cerber3 announces its presence by displaying warning messages on the desktop. It also places ransom notes on various part of the hard drive to remind user of the encryption and suggest how to quickly recover infected files.

As of now, there is no available Cerber3 decryption tool. There are various ways of recovering files provided you have a backup copy of it using Windows features like Windows Previous Version or Shadow Explorer.

How to Remove Cerber3 Ransomware

Ransomware files are placed deeply into the system and on various locations, thus, thorough scanning is vital to totally remove Cerber3 virus. Aside from our suggested tool, you may also run your own security program.

Though affected files may be impossible to decrypt due to complexity of the encryption, you can still try recovery method like Shadow Explorer or Previous Version as described below.

Stage 1: Scan the Computer with ESET Rogue Application Remover (ERAR)

  1. Download the free scanner called ESET Rogue Application Remover.
    Download Link for ERAR (this will open a new window)
  2. Choose appropriate version for your Windows System. Save the file to a convenient location, preferably on Desktop. errar1
  3. After downloading the file, Windows will prompt that download has completed. Click Run to start the program. Another option is to browse the location folder and double click on the file ERARemover_.exe.
  4. On ESET Rogue Application Remover SOFTWARE LICENSE TERMS, click Accept to continue.
  5. The tool will start scanning the computer. It will prompt when it finds Cerber3 Ransomware and other malicious entities. Follow the prompt to proceed with the removal.

errar2

Stage 2: Double-check for Cerber3 Ransomware’s leftover with Microsoft’s Malicious Software Removal Tool

  1. Download the free scanner called Malicious Software Removal Tool.
    Malicious Software Removal Tool Download Link (this will open a new window)download-msrt
  2. The tool automatically checks the operating system and suggest appropriate download version. Click onDownload button to begin. Save the file to a convenient location, preferably on Desktop.
  3. After downloading the file, Windows will prompt that download has completed. Click Run to start scanning for Cerber3 Ransomware. Another option is to browse the location folder and double click on the file to run.msrt-icon
  4. The tool will display Welcome screen, click Next. Please note the message “This tool is not a replacement for an antivirus product.” You must understand that this program is made specifically to find and remove malware, viruses, Trojans, and other harmful elements on the computer. It was not designed to protect the computer.msrt1
  5. Next, you will see Scan Type. Please choose Full Scan to ensure that all Cerber3 Ransomware entities and other harmful files left on the computer will be found and removed. For advanced computer user, you can opt for Customized Scan, if there are other drives or folders you wanted to include in this scan.msrt2
  6. Full scan may take a while, please wait for Malicious Software Removal Tool to complete the tasks. However, you may cancel the scan anytime by clicking on the Cancel button.  msrt3
  7. After scanning, the tool will reveal all identified threats. There may be other threats that our first scan fails to detect. Please remove/delete all detected items.
  8. When removal procedure is complete, you may now close Malicious Software Removal Tool. We hope that Cerber3 Ransomware have been completely deleted from the computer. Please restart Windows to proceed with the normal operation.

Recover .Cerber3 Files Using Decryption Tool

As of this moment, there is no Decryption Tool for Cerber3 Ransomware. We will update this section as soon as we have obtained a tool that can recover encrypted .cerber3 files. In the meantime, please try other options below.

Option 1: Windows Previous Version Tool

Windows Vista and Windows 7 have a feature called Previous Versions. However, this tool is only usable if restore point was made prior to Cerber3 Ransomware infection. To use this tool and recover files affected by the virus, please follow these steps:

  1. Open My Computer or Windows Explorer.
  2. Right-click on the affected files or folders. From the drop-down list, please click on Restore previous versions.
  3. New window will open display all backup copy of files and folders you wanted to recover. Choose the appropriate file and click on Open, Copy, or Restore. Restoring selected files overwrites the current encrypted files on the computer.

Option 2: Use ShadowExplorer to restore files encrypted by Cerber3 Ransomware

Just like Previous Version tool, ShadowExplorer is taking advantage of shadow copy created by Windows. This tool allows you to retrieve older version of files before it was encrypted by Cerber3 Ransomware.

  1. Download ShadowExplorer from the official web site.
  2. Install the program with the default settings.
  3. The program should run automatically after installation. If not, double-click on ShadowExplorer icon.
  4. You can see the drop-down list on top of the console. Please select proper drive and the most recent point-in-time shadow copies of files you wish to restore prior to Cerber3 Ransomware infection.  shadow3
  5. Right-click on the Drive, Folder, or File you wish to restore and click Export…
  6. Lastly, ShadowExplorer will prompt for location where you want to save the copy of recovered files.

Source:

 

#Lawrence Abrams | bleepingcomputer.com | August 16, 2016

Check Point releases working Decryptor for the Cerber Ransomware

For those who have been affected by the Cerber Ransomware and decided not to pay the ransomware, we have good news for you!  Today, Check Point released a decryption service for the Cerber Ransomware version 1 and version 2 that allows victims to recover their computer’s decryption key and decrypt their files for free.  The files types that can be decrypted by this ransomware are those that end with.CERBER and .CERBER2 extensions.

checkpoint-decryption-service

Check Point Cerber Decryption Service

At this time, it is not known how Check Point is able to decrypt the Cerber files, but based on their access to the Cerber backend, they most likely were able to acquire the Master Decryption Key, rather than finding a weakness in the encryption algorithm.  Using this Master Decryption Key, they can then extract a victim’s unique key from an uploaded encrypted file.

How to Decrypt .CERBER and .CERBER2 Files

In order to use this service, victims can visit the CerberDecrypt.com site and upload an encrypted .CERBER or .CERBER2 file that is 1MB or smaller. Once the file is uploaded, Check Point will extract the private key associated with your computer and make it available for download. Victim’s must then download both the private key file, which will be named pk, and the decryptor to the same folder.

Once a victim has downloaded both files, they can simple double-click on the decryptor to start scanning the computer for files to decrypt.

cerber-decryptor1

Cerber Decryptor

The Check Point Cerber Decryptor will scan the computer for encrypted files and decrypt them. Please note that there are appears to be a bug in the user interface that indicates encrypted files on the Network are being detected, even for those who are not connected to a network. This bug can safely be ignored.

When it has finished decrypting your files, a victim will be presented with a message that states the disk has been decrypted. As an extra bonus, the decryptor will have removed any ransom notes that not located on the Windows desktop.

decryption-finished

Decryption Finished

The victim’s files should now be decrypted.

Source:

 

Iklan

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: