Security Question

Cerber Ransomware

12/02/2016 1070 views
I got an end user who this morning opened an attachment in an e-mail and now his computer is infected with Cerber Ransomware. It was sent via a fax email with an attachment (yesterday was the first time it was released to spread in this fashion). Anyways, I know that anything that has not been backed up onto the network prior to being infected is lost if it is encrypted. Although, I have not restarted his computer yet and I was wondering if it is possible for me to search through and search the logs or something for the key anywhere?? I know I'm just going to have to wipe the computer more than likely. But has anyone ran into this before??
2 Comments   [ + ] Show comments


  • I watched a CEO's computer get nuked in seconds by this and I found no clues left behind on how to reverse it. I saw him click and by the time I said "do not do that" it was too late.
  • Actually... the same guy just got another email. Thankfully he did not open it this time. Brought it to my attention immediately

All Answers

I have been working as a security researcher for six years. All I can say is that Cerber is a very sophisticated virus which has been updated for several times. After starting with such extensions, as .cerber, .cerber2 and .cerber3, now it uses such format to mark encrypted files: .[random numbers]. Unfortunately, no matter that this virus was created almost one year ago, there is still no legitimate decrypter launched yet. However, you can try Data Recovery Pro, ShadowExplorer and Previous Windows Versions feature. All these options have been helping my clients recover at least some part of their files.
Detailed guides on how to use each of these options are explained here: http://www.2-spyware.com/remove-cerber-virus.html
Answered 04/12/2017 by: JamesRoss
White Belt

Hello! I had problems with Cerber1 ransomware and from my experience I can say that it is almost impossible to instantly decrypt data without paying hackers for "genuine" decryption tool.
If you are lucky, tools like ShadowExplorer, Farbar, Recuva can recover some or all data from shadow copies.
I was lucky that TrendMicro tool ( http://esupport.trendmicro.com/solution/en-us/1114221.aspx) was released shortly after my laptop was infected and it was able to decrypt Cerber1 crypt.
Also i'd recommend you to check this guide (http://manual-removal.com/cerber-501/) and to copy all encrypted data to external drive and wait till effective decryption tool will be released.
Answered 12/11/2016 by: Fastline
White Belt

This content is currently hidden from public view.
Reason: Member has been banned from the site banned by admin For more information, visit our FAQ's.
This content is currently hidden from public view.
Reason: Spam For more information, visit our FAQ's.
after a quick search found a few links, perhaps they can help you out...


or perhaps here..

Answered 12/03/2016 by: Pressanykey
Red Belt

  • Thanks, I read those articles on Friday when this happened. Unfortunately nothing could be done to save any of the documents that became encrypted. Naturally this end user did not save anything to the network drives so he lost everything as I just finished wiping it this morning. Of course his boss also decided to blame IT for not being able to recover the data.... whatever.

Ransomware is not easy to defeat. Cerber developers are pushing the next evolution of ransomware by going after database files. A solid data backup/restoration capability is important, as is quality antimalware to block attacks.If you do not have a complete backup for your system it would be impossible to restore the data. (Lean more about Cerber ransomware:http://guides.uufix.com/how-to-remove-cerber-ransomware-from-your-pc/)
The File Decryptor developed by Trend Micro could be helpful with the problem:

Answered 01/19/2017 by: Vanesse
White Belt

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ