Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Wednesday, February 22, 2017

Cerber Ransomware Removal and Decryptor

Tell your friends:
Cerber ransomware is a type of virus that encrypts user's files and demands a victim to pay a ransom to get his or her files back. The name and extension of the encrypted files are renamed and vary depending on Cerber's version. It may be “.cerber”, “.cerber2,” or  any random generated letters and numbers. After a victim pays a ransom, he or she is able to decrypt files with a provided decryption software (Cerber Decryptor). To proof that they are not bluffing, criminals allow a victim to upload one desired file and then download it decrypted. The price asked for a decryption software varies but usually it is from $500 to $2000.
A computer desktop wallpaper, replaced by a variant of Cerber ransomware
A computer desktop wallpaper, replaced by a variant of Cerber ransomware

In this article we will not discuss how to acquire a decryptor from criminals. We assume that you have already read all the information that Cerber ransomware virus has left on your PC and have come here to learn about alternative methods for restoring your files.
We are not to be held responsible for any file loss (or failed recovery process) when using information on this site. Note that any activity on the infected computer (including the removal of a malware) may reduce the probability to successfully restore files.
In the end, make a decision depending on what you have learnt and the importance of the encrypted files.

Cerber Decryptor

Trend Micro Ransomware File Decryptor
Trend Micro Ransomware File Decryptor

To decrypt .cerber extension files try a Ransomware File Decryptor from Trend Micro. Trend Micro is an IT security company focusing on the development of security solutions. As there are many variants of this virus, download the latest version of this tool to check if it can recover your files. Currently, only the first variant of Cerber ransomware (extension “.cerber”) can be decrypted with this tool.
When launched, File Decryptor Tool needs to find the first file that has been encrypted. That is why it must run on the infected computer itself. You will find a download link bellow following the section 'Cerber ransomware decryption methods'.

Cerber Ransomware Removal

To remove Cerber from your PC, you have to kill all malware processes and delete the corresponding files. Also you must delete registry entries that are linked to those processes. If any infected files are left on the system, the ransomware can reinstall itself the next time the PC boots up. Usually executable files of viruses have random file names and multiple registry entries. This makes a manual removal process very difficult and time-consuming. We advise you to use an automated virus removal tool that will not just remove the infection, but will also protect your computer from future cyber threats. Malware Security Suite is one of the best available malware removers that detects Cerber. You can scan your computer before purchasing the software to make sure that it finds malware on your PC.

Download Anti-Malware
for Cerber Ransomware detection

Disclaimer: Automatic removal software is recommended for scanning and cleaning your computer from all types of malware (including ransomware). Anti-malware may remove all entries related to Cerber ransomware. Scan with the malware remover after you have finished restoring your files.

Cerber ransomware decryption methods:

  1. Restore files from backup.
  2. Restore encrypted files from Shadow Copies.
  3. Restore your files (with System Restore).
  4. Decrypt with Ranomware Decryptor.

1. Restore files from backup

If you have backups, this is the easiest and quickest way to restore your files. Use this method if you cannot recover newer versions of files from shadow copies (see method 2).

2. Use shadow copies to restore files to previous versions

If automated backups (Volume Shadow copy) are configured, you can use them to restore Cerber encrypted files to previous versions. Depending on the operating system, there are slightly different methods for using this.
In Windows 7 you can find shadow copies quite easily. Just right-click on the folder and select 'Properties'. Then click 'Previous Versions' tab. Select a desired version, click 'Restore' and you are done.
If your are a Windows 8 user, we recommend you to use a free utility that helps access shadow copies (ShadowExplorer, as Microsoft has partly removed this feature (has made it less accessible).
In Windows 10, although 'Previous Versions' tab is restored back, it depends on the File History feature.

3. Restore the system (and its files) to a previous clean state

You can restore a whole system to a previuos clean state (the date before the infection). Read these articles from Microsoft for detailed instructions:

4. Decrypt files with Cerber Decryptor

If your computer is infected with the first Cerber version (file's extension is “.cerber”)  you have  good chances to restore your files.

Trend Micro Ransomware File Decryptor
Trend Micro Ransomware File Decryptor
  1. Download the latest Decryptor (; file uploaded on January 22, 2016 at 01:00 GMT; MD5: e86d35a27e97cc5be846c2f474d5d805
  2. Unzip and run RansomwareFileDecryptor.exe.
  3. After accepting the License Agreement, you will be ready to use Anti-Ransomware tool.
  4. Select the ransomware name: Cerber.
  5. Select the encrypted file or folder.
  6. Click 'OK' to start decrypting.

Note that a decryption process will take about 4 hours to complete. Do not turn off your computer while the tool is running. Keep in mind that a higher number of cores CPU has, the stronger is Cerber encryption. So your chances to restore files are weakened.

After you have finished restoring your files, remove the Cerber Ransomware with Malware removal suite. If you will not remove the virus, the next time you boot your computer, your documents can be encrypted again.