Select language
Avast Academy Security Ransomware Cerber Ransomware: Detect it, Remove it, Prevent it

Cerber Ransomware

It’s an affiliate program for cyber criminals: anyone can buy it and unleash it in exchange for around 40 percent of the profits. It literally speaks to you, and it works offline too. Here’s all you need to know about this most ‘entrepreneurial’ form of ransomware.


What is Cerber?

One of the most active kinds of ransomware out there, Cerber encrypts the files of infected users and demands money in exchange for giving access to their files back. It works even if you are not connected to the internet, so you can’t stop it by unplugging your PC.

Hamburguer menu icon

This article contains:

    Typically, the victim receives an email with an infected Microsoft Office document attached. Once opened, the malware encrypts files with RC4 and RSA algorithms and renames them with a .cerber extension (if infected with one of the earlier variants of the malware) or a random file extension in the latest versions.

    Who is Cerber ransomware targeting?

    Everyone and anyone — except users in certain countries. If the malware detects your computer is from Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine or Uzbekistan, it will deactivate itself — at least for now. Don’t assume you’re safe if you’re based in any of these countries. Things can change, and they often do.

    Where does Cerber come from?

    From Russia, maybe. It certainly thrives in Russian forums in the depths of the dark web, where it can be bought and deployed for around 40 percent cut of the ransom profits, payable to the developers. Also, the fact that it refuses to attack former Soviet countries is a bit hmmm.

    How to recognize Cerber ransomware

    Your first clue that your PC has been infected with Cerber will come after you log in, because your desktop wallpaper will have been changed to display a desktop note.


    You will also see three ransom notes left on your desktop and inside any folder that the malware has encrypted. These notes contain instructions on how to send the ransom payment to the attackers — an amount that appears to increase with time. Depending on the bitcoin exchange rate, this ransom payment stretches from several hundreds to over a thousand US dollars.

    Also, it speaks. One of the ransom note Cerber leaves behind is a .vbs file that makes your PC relay a computerized voice message repeating that your files have been encrypted.

    How to remove Cerber ransomware

    Avast antivirus technology detects and removes Cerber ransomware, as well as other kinds of malware. If your PC is infected with Cerber ransomware, our antivirus will detect it, quarantine it and destroy it. If it detects Cerber is trying to enter your computer, it will block it from getting in.

    Unfortunately, there is no Cerber decryptor that works to recover files that have already been encrypted. This is why prevention is essential.

    How to prevent Cerber ransomware

    Cerber’s encryption is unbreakable, so once your files are encrypted, there is nothing you can do to get them back. Even submitting to the attackers’ criminal demands for payment would not guarantee that your files will be decrypted, as there is nothing preventing them from just taking your money and running. Your best bet, therefore, is to stop Cerber from getting into your PC in the first place.

    Having an up-to-date antivirus installed in your PC is your first line of defense. Good online safety practices can go a long way in keeping you and your data secure — such as never opening suspicious email attachments, even if you know and trust the sender. If it looks or feels off, don’t risk it.


    Protect your iPhone from threats
    with free Avast Mobile Security


    Protect your Android from threats
    with free Avast Mobile Security