Jump to content


Photo

Cerber ransomware

HELP

Best Answer redrob, 03 May 2017 - 09:37 PM

All good mate mum found an sd card with all the pics on so a fresh install of winblows 10 and shes set for the next one.No pics are worth paying nearly $500 as that wanker wanted Thanks again for your help everyone .

Go to the full post


  • Please log in to reply
11 replies to this topic

#1 redrob

redrob

    Master

  • Atomican
  • 845 posts
  • Location:way up north

Posted 25 April 2017 - 05:25 PM

Help mum has this crap on her pc all her files have been encrypted ,has anyone else had this problem with windows 10


some people worry bout the splinter in an others eye and forget about the log in there own

 

Cooler Master Cosmos SE case, ,Corsair HX 650 w ,Corsair H 100i Cooler , ,ASUS MG279Q 27inch WQHD IPS FreeSync Monitor


#2 Rybags

Rybags

    Immortal

  • Super Hero
  • 35,020 posts

Posted 25 April 2017 - 05:46 PM

Further to what I advised in PM - just getting rid of the ransomware can make the situation worse if it has encrypted some user files.

 

This page gives a good overview of Cerber https://malwaretips....e-cerber-virus/

 

By the look of it, whatever is encrypted can be considered almost as good as lost.  But since the files are encrypted to a new file then deleted, performing file recovery operations on the original files can be possible, but it's potentially a long process.   The best way to perform recovery would be mounting the affected drive on another computer, then of course be sure not to execute any programs on the affected drive, and perform file recovery to another drive, ie don't allow any new file creation on the affected drive.

 

The article mentions a program called "Recuva" - I've got it installed and used it successfully to get back deleted files in the past.


Edited by Rybags, 25 April 2017 - 05:47 PM.


#3 redrob

redrob

    Master

  • Atomican
  • 845 posts
  • Location:way up north

Posted 25 April 2017 - 08:21 PM

Wow so much for Macafe protecting you seems a waste of couin ,cheers Rybags


some people worry bout the splinter in an others eye and forget about the log in there own

 

Cooler Master Cosmos SE case, ,Corsair HX 650 w ,Corsair H 100i Cooler , ,ASUS MG279Q 27inch WQHD IPS FreeSync Monitor


#4 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 20,103 posts
  • Location:QLD

Posted 26 April 2017 - 09:38 AM

Wow so much for Macafe protecting you seems a waste of couin ,cheers Rybags

 

1st, a note:

People are cheap: Cheap people like free things: Free things often means pirated: Pirated means viruses: Viruses mean Antiviruses.

People are still cheap: Free Antiviruses are most appealing: Free antiviruses see the most 'viruses', because cheap pirating.

To fix a virus, an antivirus\vendor needs to know about it: Therefore; free antiviruses == the best protection.

aka. Dont pay for an antivirus, use AVAST or AVIRA for free.

The AV comparatives tests constantly put them in the top 3, and things like McAffee are (usually) toward the bottom.

ps. Show her how to 'cold backup', or use AOMEI Backup Free, to "Backup on USB insert", so its automatic if she plugs a USB HDD in each week\month overnight

 

 

See the reason McAffee (or ANY antivirus) didn't work, is because the methods used aren't actually a 'virus'.

The whole payload, at best description, is a malicious script, attached to a real genuine tool.

 

AVIRA and AVAST will notice it before it unpacks, and warn you about a "Potentially Unwanted Program" but even they don't usually flag it as a 'Virus'.

 

The encryption software used is usually freeware (and legit) or pirated commercial software.

There is just a script to get\send a key to the 'ransom' server, and then get to work.

Encrypting in and of itself isn't the enemy here.

 

I've seen a few of these.

Normally at work, we just pay the cash and the 'hacker' sends the key.

Does the Cerber 'virus' creator respond to his ransom requests? (most do).

 

In future, the best thing to do (for parents) is add a local user policy to block execution of EXE's (scripts, bat's, macros, and so on)  from outside "Program Files".

They should never run into problems unless they want to install a newly downloaded program, in which case, log in as another user, because it's a user level restriction.

Or toggle the policy if you're available for them.

 

Might want to look at Ubuntu (with the default UNITY shell) for the future. If your parents are anything like 'the rest of them' then 90% of the things they do on a computer is in the web browser.

and the last 10% is in an Office tool.

Both of which 'virus proof' Ubuntu will handle for you from a clean install.


Edited by Master_Scythe, 26 April 2017 - 09:45 AM.

Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#5 redrob

redrob

    Master

  • Atomican
  • 845 posts
  • Location:way up north

Posted 27 April 2017 - 07:00 PM

Thanks mate for all your advice ,mcaffee want to charge her to fix the problem,i have not tried to contact the hacker .the dickhead has only encrypted photos no bloody use to anyone els unles they have a flower fettish.

ps. Show her how to 'cold backup', or use AOMEI Backup Free, to "Backup on USB insert", so its automatic if she plugs a USB HDD in each week\month overnight  I will have to google how to do this myself as i have no idea.

 

Yes think ill try linux mabe for her then she wont have any problems ,will she .


Thanks mate for all your advice ,mcaffee want to charge her to fix the problem,i have not tried to contact the hacker .the dickhead has only encrypted photos no bloody use to anyone els unles they have a flower fettish.

ps. Show her how to 'cold backup', or use AOMEI Backup Free, to "Backup on USB insert", so its automatic if she plugs a USB HDD in each week\month overnight  I will have to google how to do this myself as i have no idea.

 

Yes think ill try linux mabe for her then she wont have any problems ,will she .

 

Do you have any idea how i can get her photos back and her pc back to normal please.


some people worry bout the splinter in an others eye and forget about the log in there own

 

Cooler Master Cosmos SE case, ,Corsair HX 650 w ,Corsair H 100i Cooler , ,ASUS MG279Q 27inch WQHD IPS FreeSync Monitor


#6 Rybags

Rybags

    Immortal

  • Super Hero
  • 35,020 posts

Posted 27 April 2017 - 09:26 PM

Just WTH can Mcaffee do anyway?  If the files have been encrypted and there's no key present to decrypt and the ransomware undoubtedly uses a unique key per infection then there is absolutely no recourse.

 

From what I've read, possibly some ransomware can be overcome with utilities but I've got my doubts in this instance.



#7 redrob

redrob

    Master

  • Atomican
  • 845 posts
  • Location:way up north

Posted 27 April 2017 - 09:43 PM

hmmm yer i get it Rybags thanks for your help ,ill see what the hacker is asking as im not at the house where the pc is ill check it out in the next few days , i seem to recall it was bit coin,how the hell do you convert bit coin


some people worry bout the splinter in an others eye and forget about the log in there own

 

Cooler Master Cosmos SE case, ,Corsair HX 650 w ,Corsair H 100i Cooler , ,ASUS MG279Q 27inch WQHD IPS FreeSync Monitor


#8 Rybags

Rybags

    Immortal

  • Super Hero
  • 35,020 posts

Posted 27 April 2017 - 10:24 PM

That earlier article mentioned a price which converted to something around $400.  I imagine that's $US so you may as well assume $500+

 

You could pay the scum, but that's no guarantee you'll get your data back.



#9 redrob

redrob

    Master

  • Atomican
  • 845 posts
  • Location:way up north

Posted 27 April 2017 - 10:47 PM

Yer to true mate i just read a good article that states about that price dam scum,think its a fresh install .

Cheers


some people worry bout the splinter in an others eye and forget about the log in there own

 

Cooler Master Cosmos SE case, ,Corsair HX 650 w ,Corsair H 100i Cooler , ,ASUS MG279Q 27inch WQHD IPS FreeSync Monitor


#10 Rybags

Rybags

    Immortal

  • Super Hero
  • 35,020 posts

Posted 27 April 2017 - 11:24 PM

Really, I can't say go one way or the other.  I'm about to go live soon with my new system although the bulk of my user data is on the 2TB HDD that I'll be moving across but I think I'll definately need to look into a better backup strategy than I have now, the current one being that I make a copy of certain files to an external a couple of times a year.



#11 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 20,103 posts
  • Location:QLD

Posted 28 April 2017 - 09:18 AM

As I said, normally when you pay, they do 'fix it' otherwise, why hold you at 'ransome'?

They ruin their reputation if they don't come through.

1/1000 paying because "yeah it works" is significantly better than 0 because word gets out "You pay, and they get nothing"

 

Considering it's been left so long, I doubt you'll be able to get them back. WITHOUT paying.

Normally, you can 'jump' into "shadow explorer" or something like that and grab an unencrypted Shadow Copy, but that tends to disappear if you shutdown or reboot, or just wait long enough.

 

 

There are a few things you can try.

http://www.trendmicr...s-and-services/

First, is the

"Trend Micro Ransomware File Decryptor tool"

 

There used to be a cerberdecrypt.com, but at the time of writing it's down....

 

You just have to HOPE it's a v1 or v2 encryption, because they were using a standard key algorithm. Aka. they're decryptable.

 

Give the tool a try on one file, and see what happens.

PROBABLY best to do it form safe mode.


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#12 redrob

redrob

    Master

  • Atomican
  • 845 posts
  • Location:way up north

Posted 03 May 2017 - 09:37 PM   Best Answer

All good mate mum found an sd card with all the pics on so a fresh install of winblows 10 and shes set for the next one.No pics are worth paying nearly $500 as that wanker wanted Thanks again for your help everyone .


some people worry bout the splinter in an others eye and forget about the log in there own

 

Cooler Master Cosmos SE case, ,Corsair HX 650 w ,Corsair H 100i Cooler , ,ASUS MG279Q 27inch WQHD IPS FreeSync Monitor






Also tagged with one or more of these keywords: HELP

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users