A new strain of the Cerber family has been spotted, we have received reports of a new red cerber 2017 ransomware iteration. Read our removal guide to protect yourself and learn how to remove active infections from your computer. We present an in-depth description of the virus and how it infects its target hosts.
About The Updated Cerber 2017 Ransomware
We have received reports of a new strain of the Cerber malware family, the latest addition is the Updated Cerber 2017 ransomware.
According to the released reports this is a new development, probably associated with a new hacker group or criminal developer.
Thanks to its codebase we are able to make a comparison with previous strains and provide you with the necessary information about the virus as well as an easy way to remove it.
Upon infection with the payload dropper the virus engages in a series of infection steps.
It downloads various files which pose as ordinary system data and modifies key settings of the Windows operating system. New processes are created to prepare a persistent environment so that the encryption module can begin.
The Updated Cerber 2017 Ransomware engages the wscript.exe system process to modify important data located in the %Microsoft% og %System32% folders. They include – rsaenh.dll, WScript.exe, WScript.exe.mui, sortdefault.nls, wshom.ocx, stdole2.tlb, KERNELBASE.dll.mui, msxml3.dll.
This iteration of Cerber does not delete the shadow volume copies. This means that file recovery is possible.
The ransomware note has been preserved from previous strains:
YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED1
The only way to decrypt your files is to receive
the private key and decryption program.
To receive the private key and decryption program
go to any decrypted folder – inside there is the special file (*README*)
with complete instructions how to decrypt your files.
If you cannot find any (*README*) file at your PC,
follow the instructions below:
1. Download “Tor Browser” from https://www.torproject.org/ and install it.
2. In the “Tor Browser” open your personal page:
Note! This page is available via “Tor browser” only.
All compromised files receive a Four-character randomly generated string extension.
How Does The Updated Cerber 2017 Ransomware Infect Computers
The new Updated Red Cerber 2017 ransomware is distributed via the usual methods. The widely used Nemucod payload dropper is the preferred method of infection.
In many of the analyzed examles the virus is held in an archived file that is packed inside a rar or zip file. The password to unlock the file and release the virus is placed in the body of the messages. The hackers use various social engineering tactics to conduct these types of “phishing” attacks.
Other ways to get infected with the Updated Cerber 2017 Ransomware is through downloading various files via BitTorrent trackers and malicious or hacked download sites.
How To Remove The Updated Cerber 2017 Ransomware and Recover Affected Files
You can use a trusted anti-spyware solution to remove active infections and protect your computer .
Restoring encrypted files Using Data Recovery tools. This method is suggested by multiple experts in the field. It can be used to scan your hard drive’s sectors and hence scramble the encrypted files anew as if they were deleted. Most ransomware viruses usually delete a file and create an encrypted copy to prevent such programs for restoring the files, but not all are this sophisticated. So you may have a chance of restoring some of your files with this method. Here are several data recovery programs which you can try and restore at least some of your files: