We have tracked down yet another version of the notorious Cerber ransomware being released, very similar to the first version of the virus. It uses RSA-512 cipher to encrypt the files on the compromised computer and also renames those files as well as adds a random file extension to them. If you have become a victim of this variant of Cerber ransomware, be advised that you should read this article to familiarize yourself with this version of the ransomware and learn new methods on removing it and restoring some of the data.
More Information about Cerber _README_{RAND}_.hta
Similar to the previous Cerber iteration, this one also changes the wallpaper of the infected computer with one that has the very same cerber message, but written in fromt of a red font:
Cerber ransomware also has the ability to use the same tactics like its previous versions to infect user computers. It may infect on several places online via suspicious web links or suspicious spam e-mails:
- Social Media websites.
- Websites related to torrents.
- Suspicious sites that advertise dubious software.
- Via PUPs (Potentially Unwanted Programs).
- Via spammed e-mail messages advertising seemingly legitimate services.
What Is also new regarding this variant, discovered in the beginning of December, 2016 is that Cerber ransomware uses the Tor network and Google to spread a dangerous script that is injected via a corrupt svchost32.exe process of fake origins. This utilization of the Tor network also helps hide the location of infection and helps preserve the distribution site of Cerber for more time .
What Does Cerber _README_{RAND}.hta Do?
After an infection has been caused, the first activity of Cerber ransomware is to shut down crucial Windows processes and services if they are running, for example bootsect, iconcache, ntuser, thumbs.
After having done this, this iteration of Cerber also attacks several database processes associated with Oracle, SQL and other server databases. The shutting down of those processes, if active, allows Cerber ransomware to cause a massive encryption of whole databases. But this is not as far as Cerber goes when it comes down to file encryption. The ransomware virus also aims to encrypt even more file extensions than its predecessors. The file types associated with this variant of Cerber are reported by researchers to be the following:
After encryption the files can no longer be opened. This is because their key code has 5 blocks of it that are enciphered via the RC4 method and RSA-512 algorithm. This generates a unique key for the files which is sent to the servers of the cyber-criminals behind Cerber use a sophisticated method to conceal the information sent via post traffic. They use port 6482 on TCP and UDP to several IP addresses POST information.
Just like other versions of Cerber ransomware, the names on the encrypted files may be changed to completely random as well as the extensions after encryption.
After the encryption process is complete, Cerber also drops it’s unique _README_{RAND}.hta ransom note allowing the user to see further instructions and a custom URL where the sum of 500$ is requested to be paid In a deadline to get the files back, otherwise the sum doubles.
Remove Cerber _README_{RAND}_.hta Ransomware
To fully delete this iteration of Cerber, it is advisable to proceed with the same caution as any other Cerber virus and remove it with an advanced anti-malware software.
After the removal of Cerber ransomware we also urge you to try some alternative tools for trying to restore your files. They might not work fully but you may restore at least a portion of the data:
- Data recovery software.
- Usage of a network sniffer to track communication packers with the purpose to hopefully get the decryption key, Cerber sends to the cyber-criminals after encryption.
- Shadow Explorer usage to try and get shado copies, despite all.
- Using third-party decryptors (not recommended). If you do this, please perform a backup of the encrypted files because they may break indefinitely if tampered with.