hiii my system too affected with cerber virus.....all my files has been encrypted......if any one can help me pls advice......\

Once infected, do they have access to my files? Can they share and distribute online?

no, they don't upload attacked files on their server - so don't worry about it. they are not capable of doxing you.

Just had a customer infected with this. Locked all My Documents and PST file too. Will doing a windows restore to an earlier date undo these changes??

Nope ypu would need to restore from a backup... or shadow copy...

does the UAC exploit still work with the UAC on max (no whitelist for auto elevation)?

Can you stop this version by changing your "Location" to Belarus? I know it sounds simplistic, but I thought I would ask.

You could use a proxy-server from Belarus to fake that you're in Belarus, but that won't help if your files are already encrypted.

I think that it uses your IP address to determine your location, so you'd need an ISP in Belaus

hm, it means that if you are offline, it's list of whitelisted countries has no use, because it can't know where you're from?

FYI, this does not delete Shadow Copies, or failed to Delete Shadow copies on the machine I was working on. Appeared as chkdsk.exe as well. All files encrypted with .cerber, unknown if it goes after network drives. Non were present on the infected machine.

I got hit by this crap today, I live in Greece. Tried to give shadowexplorer a try, but apparently it has compatibility issues with Windows 8 and the page appears blank, can't use it. Would you happen to know other open source or free programs similar to shadowexplorer, so I can give them a try? Thanks.

Slightly off topic: What is the best 'automated solution' to surviving another ransomware attack in future? I am looking for a networked back-up solution where the network drive is accessible to a particular (incremental) back-up program but not accessible to the normal PC itself (to prevent the ransomware from running amuck on the network drive. Is there such a solution?

use linux

Sorry - not an option for my Windows customer.

https://en.wikipedia.org/wi...

It doesn't make you immune to cryptoware

Use an image level backup solution. windows server backup, acronis, or a full bdr solution.

That's a poor solution that is not suitable for a non-technical user.First they seldom take the time to do an image often enough (we used to do 6-12 monthly already). Second, we are talking less than 1 week ~ 1 month exposure, incremental or file backup is better as the back-up has to enable incremental roll-back.

From Where i can download mentioned sample

plz suggest.
thanks in advance

So I'm reading this because I just got Cerber Ransomware on a computer. I clicked on a group email that claimed to have decrypted file attached. No subject line. Decrypted files are routine for me so I thought nothing of it. It's a government email address, and I know the government servers were hacked some months ago. Fortunately, I was using a personal laptop when I retrieved that email, and there is nothing crucial on it.

My question is, will Malwarebytes completely remove it? Would it be safer just to wipe the hard disk clean and reinstall the OS and program files from scratch?

Oh, and I had Windows' own antivirus installed on that computer. Shouldn't an antivirus software stop something like this from installing even if you click on it?

Ransomware usually deletes itself. You're fine with mbam. I've never encountered an infected machine that doesn't delete itself. It will leave traces behind, but not the dangerous encryptor

Ransomware usually deletes itself. You're fine with mbam. I've never heard of one that does not.

I'm in need of any ransomware sample to conduct analysis for my assignment. Any help would be greatly appreciated!...

https://github.com/ytisf/th...

Victims need to sue Microsoft for this.

It would seem reasonable for Microsoft to prevent encryption in their operating systems?

Also, can ransomware, encrypt files that I previously encrypted? Meaning can we all encrypt to safe keep files?

Great description.

I got this opening a word doc. Silly me. I've got all the macro protection turned off as I use macros inside word docs fairly often. It came in a personalized email. Apparently, some people have a lot of time to send this crap out.

Fixed it myself. Booted to safe mode and hunted down the exe and bat files and the registry entry. Seems dead enough. But what are all these files?! At least I use back-ups and cloud services often enough.

So anyone know if there a way to find the decryption key using an original file and encrypted file? My brother got this on his computer.

I suggest that the cryptology specialists, especially working for the military, would provide a program to decrypt cerber affected files, as a service to the public.
The government institutions have supercomputers, could be used for this service.
It should not be very difficult for them as file versions before and after encryption are available and the virus works off line

OK so you prefer delete all my posts about nomoreransom that may help people infected by ransomwares, this is not fair for them ... at least you could explain why ?

Hummm....why did you delete my post about nomoreransom web site ?

To everyone impacted, may be you could try this web site created bu Europol & Kaspersky nomoreransom dot org, you can upload a file and if they do have some info or decryption key that fit you encrypted file they can help.

I notice that cerber seems to zip up the files first before encrypting them. Hope this information is useful to those who are trying to decrypt them!

If you notice any zip or tmp files, you may still be able to recover them! For example, rename Facade(dot)zip~RF1e5d699_1.TMP to Facade(dot)zip and unzip it!

After finishing it's job, will it remove itself? Or will it remain in the system waiting to do it's job again later when there are new files? How can we ensure that it is gone for good?

All well known anti-virus are able to detect it now so scan your drive.

Hello Malwarebytes. I've tried to recover my files but I haven't been successful. I was wondering if I were to transfer the crypted files that are the most important for me to a new computer or to a USB flash and keep them there, will they "spread" and crypt all other files located in that computer or USB flash?
My thinking here is save the crypted files so that in case a decrypting tool comes out in the future I could use it to restore the crypted files. Do you think this is a good idea?

sure, you can keep the encrypted files - they are harmless. only the executable contains the malware. but anyways, Cerber executable is deleted once encryption is finalized - so, the same sample will not attack you again.

Hasherezade
Would this work?
Thank you in advance.

I got hit but don't know how long ago I was infected. The USB backups were the the first that were encrypted but fortunately I have another USB that holds an Acronis backup and I have not connected it to my uninfected computer.

Can I save files that have not been Encrypted on the infected USB Drive to another USB Drive without moving the virus along with the files I am trying to save?

I read that once infected a USB drive will continue to run the virus even when offline!

So Help Please

I think the procedure i will use is to :

Re-format Hard Drive on my infected Computer, then use the uninfected USB Drive to restore system and files back to October 2015 that are on a USB Drive that is uninfected?.

I'm in a state of shock that my back up's were the first files corrupted by these insipid MF criminals.

I think the only solution is system restore

Someone can share this decryptor? We would disassemble to understand its
algorithm, and create a universal decryptor, if possible. How to
download without paying?

the decryptor need the private key part that has been used to encrypt the datas so the decryptor itself is useless you also need the private key part of the public key used on the ransom'ed machine.

What is the private key file name? I'd like to add this to my mcafee epo server: allow it's creation but don't allow it's deletion :-)

The private key part you don't have it, because it is the public key that is spread over the infection, private key is stored in ransomware's server

HI! I've been infected as well with cerber. The site it let me to decrypt a small file under 512kb so i did it. does it helps you if I provide you the crypted file and the decrypted file? Thank you!

How do you decrypt the small files ? you upload it to the ransomware's web site and it return uncrypted version ?

yes

so no way because when you upload you acces this page (directly or after some new click) thru the link they provide that include some ID and with this ID they know server-side what is the private key and as size limitation is also server side your are screwed.

Now may be there is a way/trick you may try.

I don't remember the entire explanation of how Cerbere works but if files are encrypted "as-is" with no added bytes/special header then you may be able to retrieve >512KB files.

The tirck is to split the big file into 512KB chucks, uncrypt each chunk then re-assemble them.

Of course this may be a lenghtly manual operation but you may also be able to automatize the whole process if you do it into some script that do :

- split (use any command line file splitter)
- upload crypted chunks -> retrieve uncrypted (using curl for example)
- reassemble file

If there is no time/count limit for your ID server-side then you may be able to retrieve 100% of your files.

I can't do that because the site is allowing me to decrypt only one file. :(

We already know all that.

The decryptor they provide is already an "universal" decryptor (for their own asymetric encryption system I mean) but with this decryptor they also provide the private key so why would you like to reinvent the weel ? their decryptor is useless withtout the private key and this is also part of what they send to you once ransomware has been paid, and for this you'll never do an "universal" decryptor wihtout this precious key that is different for each machine (or spread campaign) or may be I do not understand what you mean ?