Cerber2 virus decryption: restore .cerber2 extension files

Be updated on the newest ransomware threat that appends .cerber2 extension to one’s personal files and uses advanced encryption to lock them.

There’s no excuse for any type of extortion, whether it’s real-world or cyber. Criminals who operate via the Internet, however, appear to have no morals at all and keep on contriving ransomware samples that encrypt all valuable files on victims’ PCs and provide a way of redeeming the data through ransom. Cerber2 isn’t an all-new strain of crypto malware, but it is entirely self-contained. Based off of an older version called Cerber, this one handles users’ files somewhat differently. It puts the .cerber2 tail as the extension of every ciphered item and sticks with a tricky file naming format. An arbitrary data object that’s subject to processing by this virus will look similar to this – 8TRspjl3BJ.cerber2. Obviously, it’s impossible to identify which document, image, video or database this used to be.

Cerber2 reaches out to victims via desktop background warning

This ransomware hoax circulates through the use of an exploit kit. This payload delivery method presupposes the following events: the user goes to a compromised website; a special script redirects the person to the landing page of the exploit kit; and the EK detects and harnesses unpatched software to execute the random-named executable on the workstation. Then, Cerber2 performs a scan in the background, trying to locate all personal files on fixed drives, removable drives, as well as mapped and unmapped networks shares. By using the AES-256 encryption routine, it jumbles the inner structure of every file. Recovery is not feasible unless the user has the AES key that can unscramble the information in a proper way.

Files encrypted by RSA-4096 ransomware

The infection sets its own desktop background that says, “Your documents, photos, databases and other important files have been encrypted!” On there, it also provides several links that the victim is supposed to copy and paste in the browser. The same information is also available in ransom instructions automatically created inside every encrypted folder. These documents are titled # DECRYPT MY FILES.html #, # DECRYPT MY FILES #.url, # DECRYPT MY FILES #.txt, and # DECRYPT MY FILES #.vbs. One of these, namely the .vbs (VBScript) version, features a text-to-speech function so that the warning message is played over the computer’s speakers.

When the user ends up on the Cerber Decryptor page, they can learn the ransom amount and see how much time is left before the ransom doubles. During the first five days since the compromise, the size is 1.7447 BTC (≈ $1000). Afterwards, it will increase to 3.4894 (≈ $2002). That’s a lot of money, but some users have to pay up if they want to get their most important files back. To security experts’ credit, though, they have devised a couple of workarounds that take advantage of things like VSS (Volume Shadow Service) and forensic techniques of data recovery.

Cerber2 ransomware removal

It’s usually quite easy to get rid of the offending program proper. Ransom Trojans are easy targets for antimalware suites once the data encryption part has been performed. This fact alone does not set aside the necessity of removing the infection, because it may cause further damage along with the likely escorting modules such as password stealers.

1. Download, install and run Cerber2 removal software. Click the Start New Scan button and wait until the suite does a thorough system checkup.

Download Cerber2 ransomware remover

2. When the scan results are readily available, go to Fix Threats and let the program do its cleaning job.

Workarounds to recover .cerber2 encrypted files

Unless security researchers or AV labs release a dependable decrypt tool, recovering the scrambled files is somewhat of a lottery. However, there are techniques that ransomware victims shouldn’t fail to try before considering the buyout suggested by the criminals. Be sure to peruse and implement the methods below.

1. Backups
First and foremost, download backup copies of your important data from an offsite storage unaffected by the ransomware. In case you hadn’t had a backup strategy before the breach occurred, proceed to the next step. Also, start maintaining secure backups of the most valuable information so that attacks like this one won’t cause that much damage in the future.

2. Shadow Copies
Cerber2 is coded to obliterate Shadow Copies of its victim’s files, which are data snapshots automatically made by the operating system. The ransomware has reportedly failed to complete this task in some cases, though. An important prerequisite of successful recovery is the ‘enabled’ status of the System Restore feature prior to the compromise. There are two ways to take advantage of this functionality built into Windows.

  • Previous Versions Based on Restore Points
    Select a random encrypted file, right-click on it and go to Properties. Now proceed to the Previous Versions tab. If the OS had been making snapshots of this file during system restore events, it will display the list of available file versions. Highlight the latest one and select Copy to recover it to a new path on the computer. Clicking the Restore button will reinstate the file to its original location.
    Previous Versions
  • ShadowExplorer
    The applet called ShadowExplorer is meant to automate data recovery based on VSS (Volume Snapshot Service). If that’s the workflow of your choice, download and install the tool. Run it, select the local drive name and the folder of interest, right-click on it, hit the Export option and follow further prompts to get the job done.

3. Forensic Tools
The algorithm of data scrambling employed by most ransomware involves the deletion of original files, while their encrypted copies are the objects of the ransom bargain. Now, erasing information off the hard drive is only irreversible when done with multiple overwrites. Otherwise, it may be possible to restore files using utilities like Data Recovery Pro. Simply run the app and see whether it can do the trick.

Look before you leap into secure computing

Now that you have hopefully recovered your files, make sure the Cerber2 ransomware will make no more trouble. Consider scanning the system for executables and leftover registry keys added by the infection. Double-checking is also a good idea because some of the newer variants of crypto malware are accompanied by other threats such as rootkits and identity theft programs. So run the scan again and see whether or not you are completely safe.

Download Cerber2 virus removal software