How to remove (uninstall) Cerber4

Cerber ransomware is one of the most dangerous examples of ransomware for almost a year. The first version of Cerber was created in the beginning of 2016, and since that time it infected thousands of computers, and earned hundreds of thousands dollars for its creators. But, hackers haven’t worried about the malware fighters that were trying to break the virus code, and finally succeeded. Cerber 1 was the first and the last version of this ransomware that was beaten. All other versions were properly updated before the IT-specialists managed to crack them. We’ve already seen three versions of Cerber, and here comes the fourth one.

Cerber 4

It has no visible difference from the elder ones (or an average user), but its structure was changed in the way that interferes the malware fighters to use their past experience from the work with Cerber 3. So, ransomware penetrates user’s system, copies the files, encrypts the copies and deletes the original files. It takes some time, depending on the amount of files, stored on user’s hard drive. When the encryption process comes to an end, user receives a ransom note with random text. Here’s an example of suchlike message:

“CERBER RANSOMWARE

Instructions

Can’t you find the necessary files?

Is the content of your files not readable?

It is normal because the file’s names and data in your files have been encrypted by “Cerber Ransomware:

It means your diles are NOT damaged! Your files are modified only. This modification is reversible.

From now it is not possible to use your files until thay will be decrypted. The only way to decrypt your diles safely is to buy the special decryption software “Cerber Decryptor”.

Any attempts to restore your files with the thied-party sofware will be fatal for your files!”

Usually ransomware appends the specific extension to the encrypted files, and in most cases it just repeats the name of the ransomware, like .locky for Locky or.zepto for Zepto. Cerber’s developers decided to make the new version of ransomware, and it adds the extension whose name consists of four random characters. The ransom note’s name is “README.hta”. The amount of ransom is 1BTC and, as always, it doubles if user won’t pay in 5 days. 1 BTC is approximately $600, so this is a serious sum of money. If you have time to wait, and you don’t need the encrypted files right now – you should just remove Cerber4 from your computer and wait, until the proper decryption tool will be developed. Or remove Cerber and use your computer in normal way. Please, save the text copy of README.hta to help IT specialists decrypt your files in the future.

The deletion of Cerber 4 ransomware is easy, and the only difference from the deletion of usual virus is that it must be performed in the safe mode. But it's very difficult to restore information.

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab

Startup

Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner

 

Antivirus scanner

Why we recommend SpyHunter antimalware as removal tool

Removes virus fully: all files and even registry keys of malware will be deleted

Protects your system in the future

24/7 free support team

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

 

If you want to decrypt your files, or you're wondering about should you do it or not - just read our article about How to decrypt files, corrupted by ransomware.

Cerber ransomware attack demonstration

 

 

Add comment

Security code
Refresh

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.