What is Cerber

Cerber is ransomware virus that uses AES encryption to encrypt user files. Usually it affects documents, photos, images, music, games and other types of personal data. Cerber adds .cerber extension to all encrypted files. Targeting personal information helps them to demand ransom ($500) for decryption. As there are no 100% working free decryption tools available many users pay the ransom to restore their files. After 7 days amount of ransom doubles. Cerber ransomware creates 3 files (#DECRYPT MY FILES#.txt, #DECRYPT MY FILES#.html, #DECRYPT MY FILES#.vbs) that contain instructions and link to online “Cerber Decryptor”. In this article we will explain how to remove Cerber virus and decrypt .cerber files.

cerber virus

How Cerber infected your PC

Cerber virus developers use spam e-mail attachments for distribution. Usually short message offers to download an archive with some document. This document contains built-in macros, that runs in the background when user opens the document. This macros downloads executable file of the virus and runs it. Since that moment Cerber starts encrypting your files. Antivirus may not catch this threat, and we recommend you to use HitmanPro with CryptoGuard. This program can detect encryption process and stop it to prevent the loss of your files.

cerber decryptor page

Download Removal Tool

Download Removal Tool

To remove Cerber Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of Cerber Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.

Alternative Removal Tool

Download Norton Antivirus

To remove Cerber Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of Cerber Ransomware and prevents future infections by similar viruses.

How to remove Cerber manually

It is not recommended to remove Cerber manually, for safer solution use Removal Tools instead.

Cerber files:


Cerber reg keys:

Key: HKCU\Control Panel\Desktop\SCRNSAVE.EXE
Key: HKCU\Software\Microsoft\Command Processor\AutoRun
Value: %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\{randomname}.exe
key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Value: %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\{randomname}.exe
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{randomname}
Value: %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\{randomname}.exe
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\{randomname}
Value: %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\{randomname}.exe

How to decrypt and restore .cerber files

trendmicro cerber decryptor

Use following tool from Trend Micro called Trend Micro Ransomware File Decryptor, that can decrypt files encrypted by Cerber v. 1. Download it here:

There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

If you are infected with Cerber ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. However, there is currently no automatic decryption tool for .cerber files. To attempt to remove them you can do the following:

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there are no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it, and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose an alternative method.

If you are using Dropbox:

  1. Login to the Dropbox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses like Cerber in future

Use Malwarebytes Anti-Ransomware Beta

Famous anti-malware vendor Malwarebytes along with EasySync Solutions created tool that will help you with active anti-ransomware protection as additional shield to your current protection.


Use HitmanPro.Alert with CryptoGuard

Dutch vendor of legendary cloud-based scanner HitmanPro – Surfright released active antivirus solution HitmanPro.Alert with CryptoGuard feature that effectively protects from latest versions of cryptoviruses.

Download AdGuard
Previous articleHow to remove TeslaCrypt and decrypt .ecc files
Next articleHow to remove Us.4yendex.com
James Kramer
Hello, I'm James. My website Bugsfighter.com, a culmination of a decade's journey in the realms of computer troubleshooting, software testing, and development. My mission here is to offer you comprehensive, yet user-friendly guides across a spectrum of topics in this niche. Should you encounter any challenges with the software or the methodologies I endorse, please know that I am readily accessible for assistance. For any inquiries or further communication, feel free to reach out through the 'Contacts' page. Your journey towards seamless computing starts here