Cerber2 Ransomware Removal Guide

Cerber2 Ransomware is the new version of the infamous Cerber Ransomware that was reported quite a while ago. Although this version is new, it is not any different from the original infection, and it works in the exact same manner. Unfortunately, this updated version is still malicious, and it still targets your personal files. If you do not manage to protect yourself from the invasion of this ransomware, it will slither in without your notice, and it will silently encrypt all of the most sensitive files. According to our research, this infection evades certain folders and files that have certain strings in their names, including “windows,” “boot,” “programdata,” and “users.” This way, the infection evades encrypting system files, which could lead to crashes and other problems. After all, the developer of the ransomware wants to get your money, not make your PC unusable. Unfortunately, most realize that they need to remove Cerber2 Ransomware only after it corrupts their files.

Most ransomware creators and distributors employ spam email attacks to spread their products. Cerber2 Ransomware is also spread via the attachments of spam emails, and they are created in a way so as not to alert users. For example, you might receive an email seemingly sent from a well-known airline providing you with an itinerary or a discount voucher. Opening the attachment is what unleashes the ransomware, and it can start performing malicious activity. As mentioned previously, this threat specifically evades certain files and folders. We have also found that this threat aborts its mission if it is executed on a PC located in Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, or Uzbekistan. If it is executed on the “right” operating system, it will encrypt personal files and attach the “.cerber2” extension to them. Our research has revealed that this threat uses the RSA encryption method to encrypt the decryption/private key, but it employs the AES encryption method to encrypt your files.

Once Cerber2 Ransomware locks your files, it introduces you to files that tell you what you need to do to get your files decrypted, but you need to be careful about how you handle the information provided to you via these files. The “# DECRYPT MY FILES #.txt” file presents a message with a link to a page that demands a ransom of 1.24 Bitcoins. At this moment, this sum converts to around 700 USD. Another file called “# DECRYPT MY FILES #.vbs” uses the Windows Narrator to further inform you that your files were encrypted, and “# DECRYPT MY FILES #.html” provides a direct link to a website via which you are expected to make the payment. As mentioned previously, you need to be cautious about the information that is provided to you. If you pay the ransom without thinking things through, you might lose your money, and that is not what you want. According to our researchers, many ransomware victims are scammed as their files remain encrypted even if the payments are successful. Hopefully, you will find an alternative to paying the ransom, because paying it is too risky. In the best case, your files are backed up, and you can remove the threat without any delay.

The biggest obstacle with the removal of Cerber2 Ransomware is the direct link between the infection and the decryption key. Cyber criminals are the only ones who have the decryption key, and you depend on them to provide it to you. Unfortunately, we cannot say whether or not you will be able to decrypt your files if you pay the requested ransom, but if you eliminate the infection, you lose this option. If you have backed up your files to an external drive or using another system, you should delete Cerber2 Ransomware without further delay. Even if you manage to get your files back, you MUST get rid of this ransomware, and you can do that in several ways. Our recommendation is to download anti-malware software that can erase existing malware and guard you against it in the future. Do you wish to proceed with manual removal? If you do, make sure you perform every step with caution. Also, think about protecting your PC because the next careless step, such as opening an email attachment, could lead to the invasion of malware.

Cerber2 Ransomware Removal

1. Simultaneously tap Win+R to launch RUN.
2. Type regedit.exe into the dialog box and click OK.
3. In Registry Editor move to HKCU\Control Panel\Desktop.
4. Right-click and Delete the value named SCRNSAVE.EXE (value data: %AppData%\{RANDOM CLSID}\*.exe).
5. Right-click and Delete the value with a random name (value data: %AppData%\{RANDOM CLSID}\*.exe) in these paths:
   • HKCU\Software\Microsoft\Command Processor\AutoRun
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
6. Simultaneously tap Win+E to launch Explorer.
7. Right-click and Delete the .LNKfiles with random names in these directories (enter the provided directory into the Explorer’s address bar to access it):
   • %ALLUSERSPROFILE%\Start Menu\Programs\
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\
   • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\
8. Enter %AppData% into the address bar.
9. Right-click and Delete the {RANDOM CLSID} folder containing a malicious .exe file.
10. Immediately scan your operating system to inspect for leftovers.