CERBER Ransomware


Systems Affected


Threat Level



The malware encrypts files after force restarting their PC, dropping ransom messages, named DECRYPT MY FILES.


CERBER is ransomware pretty strong written / created with great attention details / details. Once deployed, the file disappears and walk a copy thereof (renamed [random word] .exe from a hidden folder created in% APPDATA%. Some examples of file names CERBER virus results: csrstub.exe, dinotify .exe, ndadmin.exe, setx.exe, rasdial.exe, RelPost.exe, ntkrnlpa.exe. the files have a creation timestamp edited. this malware also create a link to malware derivatives:% APPDATA% / Microsoft / Windows / Start Menu / Programs / Startup. in the Process Explorer we can see derivatives create a new file (used to divide the tasks of the files that are encrypted). this malware also makes changes in the Windows registry. CERBER can encrypt the files in the offline state - this means no need to take the key out of CnC servers. Files that have been encrypted completely changed its name and add the extension typical for this ransomware: .cerber. Upon executing the .cerber file, will display the message ransom in two forms: HTML and TXT. This message is only available in English.


Solution/ Workarounds

1.Update to the latest version of Flash
2.Perform data backup

Manual remove
Boot Your PC In Safe Mode to isolate and remove Cerber files and objects
Find malicious files created by Cerber on your PC
Fix registry entries created by Cerber on your PC
Automatic remove
Back up your data to secure it against infections and file encryption by Cerber in the future
Restore files encrypted by Cerber
Optional: Using Alternative Anti-Malware Tools


Indonesia Computer Emergency Response Team

Sensors and-restore-cerber-encrypted-files/


The information provided herein is on "as is" basis, without warranty of any kind.


© Copyright Sri Lanka CERT|CC. All Rights Reserved.