Cerber Ransomware
I got an end user who this morning opened an attachment in an e-mail and now his computer is infected with Cerber Ransomware. It was sent via a fax email with an attachment (yesterday was the first time it was released to spread in this fashion). Anyways, I know that anything that has not been backed up onto the network prior to being infected is lost if it is encrypted. Although, I have not restarted his computer yet and I was wondering if it is possible for me to search through and search the logs or something for the key anywhere?? I know I'm just going to have to wipe the computer more than likely. But has anyone ran into this before??
2 Comments
[ + ] Show comments
-
I watched a CEO's computer get nuked in seconds by this and I found no clues left behind on how to reverse it. I saw him click and by the time I said "do not do that" it was too late. - SMal.tmcc 8 years ago
-
Actually... the same guy just got another email. Thankfully he did not open it this time. Brought it to my attention immediately - JZycho 8 years ago
Answers (4)
Please log in to answer
Posted by:
JamesRoss
7 years ago
I have been working as a security researcher for six years. All I can say is that Cerber is a very sophisticated virus which has been updated for several times. After starting with such extensions, as .cerber, .cerber2 and .cerber3, now it uses such format to mark encrypted files: .[random numbers]. Unfortunately, no matter that this virus was created almost one year ago, there is still no legitimate decrypter launched yet. However, you can try Data Recovery Pro, ShadowExplorer and Previous Windows Versions feature. All these options have been helping my clients recover at least some part of their files.
Detailed guides on how to use each of these options are explained here: http://www.2-spyware.com/remove-cerber-virus.html
Posted by:
Fastline
8 years ago
Hello! I had problems with Cerber1 ransomware and from my experience I can say that it is almost impossible to instantly decrypt data without paying hackers for "genuine" decryption tool.
If you are lucky, tools like ShadowExplorer, Farbar, Recuva can recover some or all data from shadow copies.
I was lucky that TrendMicro tool ( http://esupport.trendmicro.com/solution/en-us/1114221.aspx) was released shortly after my laptop was infected and it was able to decrypt Cerber1 crypt.
Also i'd recommend you to check this guide (http://manual-removal.com/cerber-501/) and to copy all encrypted data to external drive and wait till effective decryption tool will be released.
If you are lucky, tools like ShadowExplorer, Farbar, Recuva can recover some or all data from shadow copies.
I was lucky that TrendMicro tool ( http://esupport.trendmicro.com/solution/en-us/1114221.aspx) was released shortly after my laptop was infected and it was able to decrypt Cerber1 crypt.
Also i'd recommend you to check this guide (http://manual-removal.com/cerber-501/) and to copy all encrypted data to external drive and wait till effective decryption tool will be released.
Posted by:
Pressanykey
8 years ago
Hi,
after a quick search found a few links, perhaps they can help you out...
Here...
or perhaps here..
Cheers
Phil
after a quick search found a few links, perhaps they can help you out...
Here...
or perhaps here..
Cheers
Phil
Comments:
-
Thanks, I read those articles on Friday when this happened. Unfortunately nothing could be done to save any of the documents that became encrypted. Naturally this end user did not save anything to the network drives so he lost everything as I just finished wiping it this morning. Of course his boss also decided to blame IT for not being able to recover the data.... whatever. - JZycho 8 years ago
Posted by:
Vanesse
7 years ago
Ransomware is not easy to defeat. Cerber developers are pushing the next evolution of ransomware by going after database files. A solid data backup/restoration capability is important, as is quality antimalware to block attacks.If you do not have a complete backup for your system it would be impossible to restore the data. (Lean more about Cerber ransomware:http://guides.uufix.com/how-to-remove-cerber-ransomware-from-your-pc/)
The File Decryptor developed by Trend Micro could be helpful with the problem:
https://success.trendmicro.com/solution/1114221-downloading-and-using-the-trend-micro-ransomware-file-decryptor