Cerber2 Ransomware

What is Cerber2 Ransomware?

It is high time we talk about a new ransomware called Cerber2 Ransomware. It is an updated version of Cerber Ransomware, so it is just as dangerous. We suggest that you remove it from your computer as soon as you can. However, once it has infected your PC and encrypted the files on it is unlikely that you will be able to decrypt them using a third-party decryption tool. You should not pay the ransom the cyber criminals ask you to pay because you might not receive the decryption key. Furthermore, they ask for a large sum of money, and your files may not be worth it. Also, if you do not pay within seven days, then the ransom will increase twofold. There is a lot more to say about this infection, so please continue reading to find out more.

What does Cerber2 Ransomware do?

Cerber2 Ransomware differs very little from its previous version. The only noticeable difference is that this new version appends the file named with the .cerber2 extension as opposed to .cerber. It uses the same AES encryption algorithm to encrypt the files and an RSA encryption to encrypt the decryption key. According to our researchers, this ransomware is capable of encrypting up to 380 file formats, so, rest assured, this application will encrypt most if not all of your personal, valuable files and prevent you from accessing them as a result. It will skip some locations, particularly those that contain files necessary to run the operating system and applications. This ransomware is only after valuable information for which you would be willing to pay an outrageous sum of money. Researchers say that it will demand that you pay 1.24 BTC ($522.) However, if you fail to meet the seven-day deadline, then the ransom will increase twofold to 2.48 BTC ($1044.) This is a reasonable sum of money that may not be worth paying.

When Cerber2 Ransomware infects your computer, it drops its main executable to %AppData%, but it creates a randomly named CLSID folder, and its executable is randomly named as well. This can make the identification process difficult if you opt to remove it manually. Furthermore, it will create five non-malicious files in different locations. Not only that but it will also create five registry keys and one of them is set to launch this ransomware on system start up. Once the encryption process is complete, Cerber2 Ransomware will create files named # DECRYPT MY FILES #.html, # DECRYPT MY FILES #.txt, and # DECRYPT MY FILES #.vbs. These files act as ransom notes and provide instructions on how to purchase Bitcoins and pay the ransom. Unfortunately, at the time of publishing this article, there is no way to decrypt the files for free, but we do not suggest paying the ransom either. You should not allow yourself to be bullied by cyber criminals and, therefore, we advocate for deleting it.

Where does Cerber2 Ransomware come from?

Like its predecessor, Cerber2 Ransomware has been marketed as a Ransomware as a Service (RaaS) which means that its developers grant cyber criminals the right to use it for a price. Then, it is up to the cyber criminals to decide how they will distribute this infection on the web. It is possible that this ransomware is being distributed using email spam or infected websites with exploit kits. However, we have yet to have received concrete evidence regarding its distribution because it is still very new, so all we can do at this point is speculate at this point.

How do I remove Cerber2 Ransomware?

Removing Cerber2 Ransomware requires a bit of effort because you have to delete all of its files to ensure that your PC is safe and secure. Our researchers say that you have to boot up your PC in Safe Mode with Networking to move its files to the Recycle Bin or use an antimalware program such as SpyHunter to eradicate them automatically. Both methods are effective, but the manual option requires some know-how, so take your pick.

Boot up the PC in Safe Mode with Networking

Windows XP

1. Restart the computer.
2. Press and hold the F8 key as your computer restarts.
3. On the Advanced Boot Options screen, use the arrow keys to highlight the Safe Mode with Networking, and then press Enter.

Windows 7 and Vista

1. Click the Start button click the arrow next to the Shut Down button, and then click Restart.
2. Press and hold the F8 key as your computer restarts.
3. On the Advanced Boot Options screen, use the arrow keys to highlight the Safe Mode with Networking, and then press Enter.

Windows 8 and 8.1

1. Hold down Windows+C keys, and then click Settings.
2. Click Power, hold down Shift on your keyboard and click Restart.
3. Select Troubleshoot.
4. Click Advanced options, and select Startup Settings.
5. Click Restart and press 5 on your keyboard to Enable Safe Mode with Networking.

Windows 10

1. Click Start and then click the Power button.
2. Hold down the Shift key and select Restart.
3. In the resulting full-screen menu, select Troubleshoot.
4. Select Advanced options and choose Startup Settings.
5. In the Startup Settings screen, press Restart.
6. When the PC restarts use the arrow keys on your keyboard to select Enable Safe Mode with Networking.

Delete the malicious files

1. Press Windows+E keys.
2. Enter the following file paths in the resulting the File Explorer window.
   • %ALLUSERSPROFILE%\Start Menu\Programs
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs
   • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs
3. Find and delete randomname.Ink
4. Go to %AppData% and locate the randomly named CLSID folder.
5. Enter it and delete the ransomname.exe
6. Then, press Windows+R keys.
7. Enter regedit in the dialog box and click OK.
8. Go to HKCU\Control Panel\Desktop
9. Find and delete SCRNSAVE.EXE
10. Then, navigate to the following registry keys.
    • HKCU\Software\Microsoft\Command Processor\AutoRun
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
11. Locate the randomly named registry key featuring the Value data {RANDOM CLSID}\randomlynamed.exe
12. Right-click it and click Delete.

Download Removal Tool100% FREE spyware scan and
tested removal of Cerber2 Ransomware*