What is Cerber

Cerber is ransomware virus that uses AES encryption to encrypt user files. Usually it affects documents, photos, images, music, games and other types of personal data. Cerber adds .cerber extension to all encrypted files. Targeting personal information helps them to demand ransom ($500) for decryption. As there are no 100% working free decryption tools available many users pay the ransom to restore their files. After 7 days amount of ransom doubles. Cerber ransomware creates 3 files (#DECRYPT MY FILES#.txt, #DECRYPT MY FILES#.html, #DECRYPT MY FILES#.vbs) that contain instructions and link to online “Cerber Decryptor”. In this article we will explain how to remove Cerber virus and decrypt .cerber files.

cerber virus

How Cerber infected your PC

Cerber virus developers use spam e-mail attachments for distribution. Usually short message offers to download archive with some document. This document contains built-in macros, that runs in the background when user opens the document. This macros downloads executable file of the virus and runs it. Since that moment Cerber starts encrypting your files. Antivirus may not catch this threat and we recommend you to use HitmanPro with Cryptoguard. This program can detect encryption process and stop it to prevent the loss of your files.

cerber decryptor page

Download Cerber Removal Tool

Download Removal Tool

To remove Cerber completely we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders and registry keys of Cerber.

Alternative remover

Download Malwarebytes Anti-Malware

As a good free alternative to remove Cerber use Malwarebytes Anti-Malware. It will detect core files and processes of Cerber ransomware and eliminate them to allow you start decryption of your files.

How to remove Cerber manually

It is not recommended to remove Cerber manually, for safer solution use Removal Tools instead.

Cerber files:


Cerber reg keys:

Key: HKCU\Control Panel\Desktop\SCRNSAVE.EXE
Key: HKCU\Software\Microsoft\Command Processor\AutoRun
Value: %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\{randomname}.exe
key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Value: %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\{randomname}.exe
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{randomname}
Value: %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\{randomname}.exe
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\{randomname}
Value: %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\{randomname}.exe

How to decrypt and restore .cerber files

trendmicro cerber decryptor

Use following tool from Trend Micro called Trend Micro Ransomware File Decryptor, that can decrypt files encrypted by Cerber v. 1. Download it here:

Download TrendMicro Ransowmare File Decryptor

There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

If you are infected with Cerber ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. However, there is currently no automatic decryption tool for .cerber files. To attempt to remove them you can do the following:

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses like Cerber in future

Use Malwarebytes Anti-Ransomware Beta

Famous anti-malware vendor Malwarebytes along with EasySync Solutions created tool that will help you with active anti-ransomware protection as additional shield to your current protection.

Download Malwarebytes Anti-Ransomware Beta

Use HitmanPro.Alert with CryptoGuard

Dutch vendor of legendary cloud-based scanner HitmanPro – Surfright released active antivirus solution HitmanPro.Alert with CryptoGuard feature that effectively protects from latest versions of cryptoviruses.

Download HitmanPro.Alert with CryptoGuard