Cerber Ransomware

I got an end user who this morning opened an attachment in an e-mail and now his computer is infected with Cerber Ransomware. It was sent via a fax email with an attachment (yesterday was the first time it was released to spread in this fashion). Anyways, I know that anything that has not been backed up onto the network prior to being infected is lost if it is encrypted. Although, I have not restarted his computer yet and I was wondering if it is possible for me to search through and search the logs or something for the key anywhere?? I know I'm just going to have to wipe the computer more than likely. But has anyone ran into this before??

2 Comments   [ + ] Show comments
  • I watched a CEO's computer get nuked in seconds by this and I found no clues left behind on how to reverse it. I saw him click and by the time I said "do not do that" it was too late. - SMal.tmcc 4 years ago
  • Actually... the same guy just got another email. Thankfully he did not open it this time. Brought it to my attention immediately - JZycho 4 years ago

Answers (4)

Posted by: JamesRoss 4 years ago
White Belt
I have been working as a security researcher for six years. All I can say is that Cerber is a very sophisticated virus which has been updated for several times. After starting with such extensions, as .cerber, .cerber2 and .cerber3, now it uses such format to mark encrypted files: .[random numbers]. Unfortunately, no matter that this virus was created almost one year ago, there is still no legitimate decrypter launched yet. However, you can try Data Recovery Pro, ShadowExplorer and Previous Windows Versions feature. All these options have been helping my clients recover at least some part of their files.
Detailed guides on how to use each of these options are explained here: http://www.2-spyware.com/remove-cerber-virus.html
Posted by: Fastline 4 years ago
White Belt
Hello! I had problems with Cerber1 ransomware and from my experience I can say that it is almost impossible to instantly decrypt data without paying hackers for "genuine" decryption tool.
If you are lucky, tools like ShadowExplorer, Farbar, Recuva can recover some or all data from shadow copies.
I was lucky that TrendMicro tool ( http://esupport.trendmicro.com/solution/en-us/1114221.aspx) was released shortly after my laptop was infected and it was able to decrypt Cerber1 crypt.
Also i'd recommend you to check this guide (http://manual-removal.com/cerber-501/) and to copy all encrypted data to external drive and wait till effective decryption tool will be released.
Posted by: Pressanykey 4 years ago
Red Belt
after a quick search found a few links, perhaps they can help you out...


or perhaps here..


  • Thanks, I read those articles on Friday when this happened. Unfortunately nothing could be done to save any of the documents that became encrypted. Naturally this end user did not save anything to the network drives so he lost everything as I just finished wiping it this morning. Of course his boss also decided to blame IT for not being able to recover the data.... whatever. - JZycho 4 years ago
Posted by: Vanesse 4 years ago
White Belt

Ransomware is not easy to defeat. Cerber developers are pushing the next evolution of ransomware by going after database files. A solid data backup/restoration capability is important, as is quality antimalware to block attacks.If you do not have a complete backup for your system it would be impossible to restore the data. (Lean more about Cerber ransomware:http://guides.uufix.com/how-to-remove-cerber-ransomware-from-your-pc/)
The File Decryptor developed by Trend Micro could be helpful with the problem:

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ