New Cerber README.hta Ransomware Remove and Restore Encrypted Files – How to, Technology and PC Security Forum

0
647


Loading…

new-cerber4-ransomware-remove-sensorstechforum-com-2016This is an instructive article to help you remove Cerber README.hta Ransomware and restore encrypted files.

Cerber ransomware virus has appeared out into the wild in a new variant using a README.hta file, according to malware researcher Michael Gillespie. What differs in this version of Cerber is that it drops a the .hta file with completely new ransom demands and encrypts the files of infected computers with random file extensions with 4 alpha numerical characters, for example .a123 or .y2k2. Since there have already been three versions of the notorious ransomware virus plus it’s massive affiliate campaign is running wild all over the world, this is a strong indicator that the developers of the virus may have created a completely new version or heavily modified the older Cerber ransomware. The Cerber virus’ purpose is to extort infected users to make a ransom payoff ranging from 0.5 to 1.5 BTC by following the instructions in the readme file. Anyone who has been affected by this or any other versions of the virus should not pay any type of ransom since malware researchers are constantly on the lookout for a free decryption solution. Instead, we advise you to back up your files, remove this ransomware and try several alternative methods to revert your files by following the instructions below.

Threat Summary

Name Cerber
Type Ransomware Virus
Short Description This Cerber ransomware variant encrypts files with the RSA or AES ciphers adding four randomly generated A-Z 0-9 characters(ex. .z33f) as a file extension to the encrypted files and asks a ransom payoff for decryption.
Symptoms Files are enciphered and become inaccessible by any type of software. A ransom note with instructions for paying the ransom shows as a “README.hta” file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks, Malicious Executable in Torrent Trackers.
Detection Tool See If Your System Has Been Affected by Cerber

Download

Malware Removal Tool

Data Recovery Tool Stellar Phoenix Data Recovery Technician’s License Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. User Experience Join our forum to Discuss Cerber Ransomware.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

The Latest Cerber Virus – How Does it Spread

There is not much change in how Cerber causes infections. Just like the 1st Cerber as well as the second and of course Cerber 3 ransomware, the virus uses affiliate campaigns to be widespread. This widely broadens the spreading methods because the creators of the ransomware do not spread it themselves, but instead may use a complex network of affiliates all over the world who want to make profits illegally.

The developers of Cerber may, however, sell the ransomware as a service along with an advanced exploit kit which is “the bottleneck” of the infection process. This is primarily because it guarantees a successful infection by exploiting bugs in Windows or obfuscating a malicious executable so that it runs undetected by firewalls or antivirus programs.

Given that Cerber may already have a huge affiliate network, a different set of tools and approaches may have been undertaken to spread the virus. Some of those tools may include:

  • Malware obfuscators to hide the malicious file.
  • Spam bots and fake online accounts to spread the virus via malicious web links as comments on websites or via social media.
  • Temporary self-destructible e-mail service to remain untraceable.
  • Spamming software to massively send e-mails to a pre-modified list of users.
  • A pre-configured set of fake, phishing e-mails.

All of those tools may be used to replicate Cerber ransomware’s malicious executable under different forms. One of the forms may be as a malicious attachment uploaded in an e-mail, disguised as an Invoice or another important document. It may also be drive-by downloaded via a malicious URL posted in the phishing message.

Cerber Ransomware – What Does This Variant Do

After having compromised a computer, the Cerber malware may attempt a connection with the C&C (Command and Control) servers belonging to the cyber-criminals. After this has been performed, Cerber then may download and drop one or more malicious files of the following file types:

.vbs, .exe, .dll, .tmp, .bat, .cmd, .hta

The malicious files may have different purposes and may be dropped in important Windows directories, most likely believed to be:

  • %AppData%
  • %SystemDrive%
  • %Temp%
  • %Roaming%
  • %System%
  • %Local%
  • %LocalRow%

After the malicious files have been dropped, Cerber ransomware gets down to the point. The virus may use an administrative command to delete the shadow copies of the infected computer, erasing all types of previous file versions. The command is the following:

cerber-ransomware-shadow-command-sensorstechforum-3

Cerber may also immediately begin encrypting files on the compromised computer. It usually looks for widely used types of files, such as videos, photos, audio files, documents and others that may be important to you.

In addition to this, Cerber may also add value strings with a path to the malicious executables in the Run and RunOnce keys of Windows and make the virus run every time Windows starts and encrypt every newly added files as well.

After encryption, Cerber ransomware renders the files unusable and generates a unique decryption key. This key may be encrypted additionally and sent to the C&C server of the ones controlling the malware.

Files encrypted by this Cerber variant usually look like the following:

cerber-ransomware-new-encrypted-files-sensorstechforum

The ransom note of Cerber ransomware also suggests that a CBC (Cipher Block Chaining) mode may be used when encrypting the files which essentially breaks the files if a third-party decryption software is directly used on them.

Cerber’s ransom note is also dropped in a README.hta file and it has the following brief message with a web link to a payment page:

“CERBER RANSOMWARE
Instructions
Can’t you find the necessary files?
Is the content of your files not readable?
It is normal because the files’ names and the data in your files have been encrypted by “Cerber Ransomware”.
It means your files are NOT damaged! Your files are modified only. This modification is reversible.
From now it is not possible to use your files until they will be decrypted.
The only way to decrypt your files safely is to buy the special decryption software “Cerber Decryptor”.
Any attempts to restore your files with the third-party software will be fatal for your files!
You can proceed with purchasing of the decryption software at your personal page:
Please wait…
{Unique link for the victim}”

Whatever the case may be, it is very important to get rid of Cerber as soon as possible instead of paying any form of ransomware to cyber-criminals for obvious reasons:

  • You support the cyber-criminals’ organization.
  • No guarantee you will receive your files back.

Malware researchers often recommend to users infected by Cerber to create copies of the encrypted files and backing them up on an external drive if a decryptor is released for free, like it happened with the 1st version of Cerber.

To remove Cerber ransomware, please follow the instructions posted below. In case you are having a tough time removing the files manually, the best solution for you is to use an advanced anti-malware software which will automatically take care of the malicious files and registry objects created by the ransomware.

To attempt alternative file restoration methods, we advise you to take a look at our suggestions in step “2. Restore Files Encrypted by Cerber” below. They may or may not work in your situation, and the outcome may vary, but we have users who report restoring at least some of their important files. The outcome of how many files you will be able to revert comes down to whether or not you have a backup, whether or not you have reformatted your hard drive and other variables.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More PostsWebsite

Follow Me:
Twitter

2. Move the cursor over “Tools” and then from the extended menu choose “Extensions

3. From the opened “Extensions” menu locate the add-on and click on the garbage bin icon on the right of it.

4. After the extension is removed, restart Google Chrome by closing it from the red “X” in the top right corner and start it again.
stf-safari preferences

4. After that, select the ‘Extensions’ Tab

stf-safari-extensions

5. Click once on the extension you want to remove.
6. Click ‘Uninstall’

stf-safari uninstall

A pop-up window will appear asking for confirmation to uninstall the extension. Select ‘Uninstall’ again, and the Cerber will be removed.
How to Reset Safari
IMPORTANT: Before resetting Safari make sure you back up all your saved passwords within the browser in case you forget them.
Start Safari and then click on the gear leaver icon.
Click the Reset Safari button and you will reset the browser.

Step 3: Scan for and remove Cerber files from your Mac

When you are facing problems on your Mac as a result of unwanted scripts and programs such as Cerber, the recommended way of eliminating the threat is by using an anti-malware program. Combo Cleaner offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More PostsWebsite

Follow Me:
Twitter