Cerber2 Ransomware Virus - How to Remove?

Cerber ransomware

Cerber2 is a ransomware virus, which penetrates the user's computer, encrypts the data, and demands a ransom for their decryption. This virus belongs to the category of the most dangerous programs for the average user, and its distribution is a crime under the laws of any country in the world. The scope of its activities is the whole world except the former Soviet Union countries. If you find this virus on your computer - you need to act quickly and confidently, to protect your data, and not lose a considerable sum of money.

What is Cerber2?

Cerber2 - a new version of the world-renowned virus called Cerber. The first version of the virus has infected thousands of computers and brought to its creators hundreds of thousands of dollars over its lifetime. However, hackers have missed one vulnerability in the code that allowed experts from the American/Japanese company Trend Micro to create a decryption program. The new version has been created taking into account the mistakes, and now, the struggle against it will take much more time.

For all its characteristics and requirements Cerber2 is identical to its predecessor. It affects all kinds of files, except software and system folders. Images, text, video and audio as well as PDF files can be encrypted with the virus. The amount of foreclosures remains at 1,24 BTC (about $ 700), and after 7 days increases to 2,48 BTC. The extension of the encrypted files is now .cerber2 instead of .cerber. Cerber2 uses asymmetric encryption algorithm AES, which remains one of the toughest in the world. This allows hackers to say that the user will not be able to decrypt the data on his own, and they are right. Decryption of data is possible only after the vulnerability in virus code is found, experts will take advantage of it, and extract the keys from the cipher.

Method of virus penetration also remains unchanged. Hackers use the most simple and profitable ways: spread via e-mail, malicious sites and torrent trackers. These methods do not shine with originality, and each of them has been used for more than ten years, however, they are still the most effective. After penetration, the virus is attached to the computer, embedded in the startup folder, and the next time you start your computer, virus starts to encrypt files. Encryption takes from several minutes to several hours (depending on the amount of data on the hard drive). After the encryption the virus displays a message stating that all data is encrypted, and prompts the user to pay the ransom, and restore your files. The message is placed on the desktop, and in each folder, which contains encrypted files. If you see this message – your files are already encrypted, and you should take steps to restore them.

Cerber ransomware

How to decrypt the files

File recovery is a priority when your PC is infected by such virus as Cerber2. There are several ways to restore your files, however, only one of these methods is 100% effective. It's the recovery using backups. If your backup is stored on an external drive, and if the vehicle were not connected to the computer at the time of infection, you can restore files easily. You will be sufficient to completely remove the virus from your computer and download the stored copy. We do not consider the restoration with the help of hackers, through paying the ransom, because this method cannot be considered reliable. Hackers are stealing from you, it’s their job, so it is unlikely to assume that their word is reliable. Of course, if the encrypted files are very important to you, you can take the advice of hackers, and pay the ransom. However, in that case you run the risk of losing not only the data that is already encrypted, but also the money paid for their recovery. If you do not want to pay hackers for what belongs to you, we have a few other ways to restore your files.

Cerber ransomware

The first method is passive. It is the use of a specially designed decryption program. Most often, these programs are well-known teams of malware-fighters, or anti-virus software vendors. We encourage you to look for decent decipher program on such sites as MalwareHunterTeam, KasperskyLab and EmsiSoft. In fact, this method consists of simple waiting. It won’t suit you, if you need the files immediately, but if you can wait a few weeks or months, as long as the hacker site, or the virus itself will be compromised - this method is ideal for you.

The second method is based on a built-in Windows OS functions. This is the file recovery from shadow copies. Shadow Volume Copies is a Windows service that saves files before they are deleted or changed. There are several programs that facilitate access to shadow copies of files, and allow you to find the files you need, and restore them without the need for direct decoding. These programs are called Recuva and ShadowExplorer. Both of these programs are designed by well-known developers, and are completely safe. Details and instructions can be found on the official websites of the programs.

How to remove Cerber2

Removing the virus does not affect the state of the encrypted files, but it is necessary. As long as there is a virus on your PC, each new file, caught on the hard disk will be encrypted immediately. If you decide not to pay the ransom, or are going to restore files by any of these methods - you need to remove the virus, and to make sure that the computer is thoroughly cleaned before starting the restore process. Removing Cerber2 is not extremely difficult, and if you will exactly follow our instructions - you will easily cope with it. However, after the removal of the computer you should scan for the presence of residues of the virus, so we recommend you use an antivirus to remove Cerber2 and subsequent cleaning of your computer.

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Antivirus scanner

Why we recommend SpyHunter antimalware as removal tool

Removes virus fully: all files and even registry keys of malware will be deleted

Protects your system in the future

24/7 free support team

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

How to protect your data

In today's world the Internet has become a very dangerous place, and each user should be aware of basic safety rules on the Internet. Even if you only use the Internet for entertainment and communication, your computer can still be used by hackers to make a profit. Alertness - that's your main weapon against viruses and unwanted programs. Do not visit suspicious sites, do not download unlicensed free content, and do not make purchases on sites that do not have a good reputation. Do not share passwords from any of your accounts to anyone, including those who will say that they are from tech-support. And finally, do not open e-mail attachments that are sent by unknown senders. Compliance with these rules will not require serious efforts, and will help you to keep your computer clean and your data - safe.

Add comment

Security code

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.