The distributors behind one of the largest ransomware viruses out there – Cerber, are responsible for another iteration related to the ransomware virus, calling itself Cerber Ransomware 5.0.1. This virus has begun attacking and those who have become victims of it are now requested to pay a hefty ransom in order to get their files back. The victims of Cerber ransomware are advised not to pay any ransom and read our article below to learn more, remove and try to restore the files encrypted by this devastating virus.
More About Cerber 5.0.1 Ransomware
Cerber 5.0.1 is very typical when it comes to what it attacks. The ransomware encrypts files which are often used such as videos, audio files, images and other files. But just like the several previous versions of Cerber, this one is more focused on encrypting databases, like MySQL, Oracle as well as Microsoft Access.
And in addition to this, Cerber 5.0.1 also may execute the following command to delete any shadow copies of files to make restoration after encryption even more difficult. It may use the vssadmin command in quiet mode so that the user won’t notice his shadows are deleted:
→Vssadmin delete shadows /for={volume} /oldest /all /shadow={shadowID} /quiet
But this is not all, Cerber also has the ability to attack database processes and stop them if they are running to encrypt the associated databases uninterruptedly.
→taskkill /f /fi “USERNAME eq NT AUTHORITY\SYSTEM” /im {DATABASE PROCESS}
After the virus performs all the preparation necessary to encrypt the data uninterruptedly, it begins to immediately append sophisticated file encryption algorithm to render the files no longer openable. The files may look like the following, so that the user won’t be able to differ them one from another and recognize them:
→98g2322d23.as21
How Does New Cerber 5.0.1 Spread and Infect
In order to cause an infection, Cerbe 5.0.1 has a brand new technology helping with that. It uses the RIG-V exploit kit, a nasty infection which is heavily obfuscated and undetected so far by most antivirus. The “V” in this exploit kit stands for “VIP” version of it. And it really is more privileged, especially when we take into consideration the RC4 encryption being used to obfuscate the payload of the malware.
There are also other new modifications of this exploit kit, such as new URL’s being used to infect and a new landing pages as well. Other new modifications also include an injection script that causes the infection via a compromised website.
This exploit kit may be spread via several different types of web links or files (.hta, .html, .htm). Such web links may be featured in fraudulent e-mails representing legitimate services like:
- Banks.
- PayPal.
- E-Bay.
- Amazon.
The e-mails would contain a message that resembles an urgent notification from the service itself. Most tricked users have so far fallen for e-mails that tell them their accounts are suspended or that there may be suspicious activity on their accounts.
Cerber 5.0.1 – Removal and File Restoration Tips
In case you have been infected by the Cerber Ransowmare version 5.0.1, we urge you not to pay any ransom to the cyber-criminals, because with time the keys may be released for free or malware researchers may come up with free decryption tool. In the mean time you should remove the virus immediately. In case you cannot locate all objects related to Cerber ransomware manually, we advise you to perform the removal automatically using an advanced anti-malware software which will make sure the removal process is effective and swift.
If you want to restore your files, we urge you to try the following alternative tools. They are with no guarantee to work, but in some cases they might.
- Data recovery software.
- Usage of a network sniffer to track communication packers with the purpose to hopefully get the decryption key, Cerber sends to the cyber-criminals after encryption.
- Shadow Explorer usage to try and get shado copies, despite all.
- Using third-party decryptors (not recommended). If you do this, please perform a backup of the encrypted files because they may break indefinitely if tampered with.