Cerber Ransomware

What is Cerber Ransomware?

Cerber Ransomware is a devious Windows infection that enters your operating system using clandestine methods. Whether this program slithers in via a corrupted spam email attachment or gets downloaded by a malicious installer, it will hide itself until all of your personal files are encrypted. If this malicious infection successfully encrypts your personal files, it can proceed to demand a ransom from you. According to our research, at the moment, this ransom is 1.24 BTC, which is around 507 USD or 463 EUR. Every user is given 7 days to make the payment, and, if the payment is not made, the ransom supposedly rises to 2.48 BTC (~1014 USD/925 EUR). Note that the Bitcoin currency is quite unstable and the currency ratios fluctuate frequently. All in all, the sums are high, and it is unlikely that many victims have this kind of money lying around. Unfortunately, at the moment, it is impossible to decrypt personal files in other ways, which means that paying the ransom might be the only way to regain control over your files. Of course, this does not change the fact that you must remove Cerber Ransomware.testtesttest

How does Cerber Ransomware work?

According to Anti-Spyware-101 ransomware analysts, Cerber Ransomware uses two different types of encryption. First, this ransomware employs AES (Advanced Encryption Standard) to encrypt files. Second, it uses the RSA cryptosystem to encrypt the actual decryption key. On top of that, this key is sent to a remote server that only the creators of this ransomware can access, which makes it completely inaccessible. It was found that this infection is capable of encrypting many types of files, including .doc, .jpg, .pdf, .txt, .php, and .png. As you can see, this ransomware targets personal files because computer users are more likely to pay a ransom for them. Fortunately, more and more users back up the most sensitive files, in which case, the files encrypted by the malicious infection have healthy copies. Are you one of the users whose files are backed up? If you are, you still need to delete Cerber Ransomware from your Windows operating system. If your files are not backed up, it is likely that you will consider following the demands presented by this ransomware. These demands are shown in three different ways, with the help of “# DECRYPT MY FILES #.html”, “# DECRYPT MY FILES #.txt”, and “# DECRYPT MY FILES #.vbs” files. The first one opens a TXT file and the second opens a browser page, both presenting these instructions.

Your documents, photos, databases and other important files have been encrypted!
To decrypt your files follow the instructions:
1. Download and install the "Tor Browser" from https://www.torproject.org/
2. Run it
3. In the "Tor Browser" open website:


4. Follow the instructions at this website

The “# DECRYPT MY FILES #.vbs” file is the most surprising one because it uses Windows Narrator. This Visual Basic Script file includes a script presenting an audio message that says: Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!" This VBS file, as well as TXT and HTML files will be added to every location where encrypted files are found. As you probably know, all encrypted files gain the “.cerber” extension, which is why they are very easy to detect. Of course, even if you detect them, there is nothing you can do. Removing the extensions or the infection itself does not lift the encryption. If you decide to pay the requested ransom, you will have to install the Tor Browser and pay the sum requested in Bitcoins, which, of course, you will need to purchase first.

How to eliminate Cerber Ransomware

We are hopeful that your personal files are stored on an external drive or in an online storage, and you do not need to pay the ransom. Unfortunately, it is very risky to pay this ransom or follow any other demands by cyber criminals because they are completely unpredictable. In any case, it is crucial to delete Cerber Ransomware from your operating system; even if you pay the ransom and your personal files get decrypted. If you do not erase this malicious infection, it might strike again, and that is the last thing you need. As mentioned previously, this ransomware could have been downloaded onto your computer by other infections, which means that you might need to take care of other threats after you complete the steps in the removal guide below. If you do not want to waste your time, employ an automated malware remover (e.g. SpyHunter) to clean your operating system from all devious and clandestine computer threats.

Removal Guide

N.B. The “*” symbol represents a random name.

  1. Launch RUN (simultaneously tap Win+R).
  2. Type regedit.exe into the Open box and click OK.
  3. Navigate to HKCU\Control Panel\Desktop.
  4. Right-click and Delete the value called SCRNSAVE.EXE if its value data is %AppData%\{RANDOM CLSID}\*.exe.
  5. Navigate to HKCU\Software\Microsoft\Command Processor\AutoRun.
  6. Right-click and Delete the value with a random name if its value data is %AppData%\{RANDOM CLSID}\*.exe.
  7. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run.
  8. Repeat step 6.
  9. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
  10. Repeat step 6.
  11. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.
  12. Repeat step 6.
  13. Launch Explorer (simultaneously tap Win+E).
  14. Enter the names of these directories into the address bar (one by one) and Delete LNK fileswith a random name (*.lnk).
    • %ALLUSERSPROFILE%\Start Menu\Programs\
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\
  15. Enter %AppData% into the address bar at the top.
  16. Right-click and Delete a folder with a random CLSID-type name (this folder should hold the malicious EXE file).
100% FREE spyware scan and
tested removal of Cerber Ransomware*

Leave a Comment

Enter the numbers in the box to the right *