What is Cerber?
One of the most active kinds of ransomware out there, Cerber encrypts the files of infected users and demands money in exchange for giving access to their files back. It works even if you are not connected to the internet, so you can’t stop it by unplugging your PC.
Typically, the victim receives an email with an infected Microsoft Office document attached. Once opened, the malware encrypts files with RC4 and RSA algorithms and renames them with a .cerber extension (if infected with one of the earlier variants of the malware) or a random file extension in the latest versions.
Who is Cerber ransomware targeting?
Everyone and anyone — except users in certain countries. If the malware detects your computer is from Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine or Uzbekistan, it will deactivate itself — at least for now. Don’t assume you’re safe if you’re based in any of these countries. Things can change, and they often do.
Where does Cerber come from?
From Russia, maybe. It certainly thrives in Russian forums in the depths of the dark web, where it can be bought and deployed for around 40 percent cut of the ransom profits, payable to the developers. Also, the fact that it refuses to attack former Soviet countries is a bit hmmm.
How to recognize Cerber ransomware
Your first clue that your PC has been infected with Cerber will come after you log in, because your desktop wallpaper will have been changed to display a desktop note.
You will also see three ransom notes left on your desktop and inside any folder that the malware has encrypted. These notes contain instructions on how to send the ransom payment to the attackers — an amount that appears to increase with time. Depending on the bitcoin exchange rate, this ransom payment stretches from several hundreds to over a thousand US dollars.
Also, it speaks. One of the ransom note Cerber leaves behind is a .vbs file that makes your PC relay a computerized voice message repeating that your files have been encrypted.
How to remove Cerber ransomware
Avast antivirus technology detects and removes Cerber ransomware, as well as other kinds of malware. If your PC is infected with Cerber ransomware, our antivirus will detect it, quarantine it and destroy it. If it detects Cerber is trying to enter your computer, it will block it from getting in.
Unfortunately, there is no Cerber decryptor that works to recover files that have already been encrypted. This is why prevention is essential.
How to prevent Cerber ransomware
Cerber’s encryption is unbreakable, so once your files are encrypted, there is nothing you can do to get them back. Even submitting to the attackers’ criminal demands for payment would not guarantee that your files will be decrypted, as there is nothing preventing them from just taking your money and running. Your best bet, therefore, is to stop Cerber from getting into your PC in the first place.
Having an up-to-date antivirus installed in your PC is your first line of defense. Good online safety practices can go a long way in keeping you and your data secure — such as never opening suspicious email attachments, even if you know and trust the sender. If it looks or feels off, don’t risk it.
Use anti-malware to protect yourself
Cerber is just one of the many strands of ransomware out there, and ransomware itself is only one of many kinds of malware that can harm your PC, your data and your security online. If you are looking for a thorough and comprehensive malware removal and prevention tool, Avast has got you covered — from the essential protection of our Free Antivirus, to the advanced security and performance features of Avast Premier.
- Consistently rated “excellent” by industry experts
- Trusted by 400 million people worldwide
- It’s the "Antivirus with the lowest impact on PC performance” (AV comparatives)
- Best features - unbreakable password security, home network protection, browser cleaning and much more
- All for FREE