Jump to content
Forum upgrade is live! Read more... ×
Sign in to follow this  
redrob

Cerber ransomware

Recommended Posts

Help mum has this crap on her pc all her files have been encrypted ,has anyone else had this problem with windows 10

Share this post


Link to post
Share on other sites

Further to what I advised in PM - just getting rid of the ransomware can make the situation worse if it has encrypted some user files.

 

This page gives a good overview of Cerber https://malwaretips.com/blogs/remove-cerber-virus/

 

By the look of it, whatever is encrypted can be considered almost as good as lost. But since the files are encrypted to a new file then deleted, performing file recovery operations on the original files can be possible, but it's potentially a long process. The best way to perform recovery would be mounting the affected drive on another computer, then of course be sure not to execute any programs on the affected drive, and perform file recovery to another drive, ie don't allow any new file creation on the affected drive.

 

The article mentions a program called "Recuva" - I've got it installed and used it successfully to get back deleted files in the past.

Edited by Rybags
  • Like 2

Share this post


Link to post
Share on other sites

Wow so much for Macafe protecting you seems a waste of couin ,cheers Rybags

Share this post


Link to post
Share on other sites

Wow so much for Macafe protecting you seems a waste of couin ,cheers Rybags

 

1st, a note:

People are cheap: Cheap people like free things: Free things often means pirated: Pirated means viruses: Viruses mean Antiviruses.

People are still cheap: Free Antiviruses are most appealing: Free antiviruses see the most 'viruses', because cheap pirating.

To fix a virus, an antivirus\vendor needs to know about it: Therefore; free antiviruses == the best protection.

aka. Dont pay for an antivirus, use AVAST or AVIRA for free.

The AV comparatives tests constantly put them in the top 3, and things like McAffee are (usually) toward the bottom.

ps. Show her how to 'cold backup', or use AOMEI Backup Free, to "Backup on USB insert", so its automatic if she plugs a USB HDD in each week\month overnight

 

 

See the reason McAffee (or ANY antivirus) didn't work, is because the methods used aren't actually a 'virus'.

The whole payload, at best description, is a malicious script, attached to a real genuine tool.

 

AVIRA and AVAST will notice it before it unpacks, and warn you about a "Potentially Unwanted Program" but even they don't usually flag it as a 'Virus'.

 

The encryption software used is usually freeware (and legit) or pirated commercial software.

There is just a script to get\send a key to the 'ransom' server, and then get to work.

Encrypting in and of itself isn't the enemy here.

 

I've seen a few of these.

Normally at work, we just pay the cash and the 'hacker' sends the key.

Does the Cerber 'virus' creator respond to his ransom requests? (most do).

 

In future, the best thing to do (for parents) is add a local user policy to block execution of EXE's (scripts, bat's, macros, and so on) from outside "Program Files".

They should never run into problems unless they want to install a newly downloaded program, in which case, log in as another user, because it's a user level restriction.

Or toggle the policy if you're available for them.

 

Might want to look at Ubuntu (with the default UNITY shell) for the future. If your parents are anything like 'the rest of them' then 90% of the things they do on a computer is in the web browser.

and the last 10% is in an Office tool.

Both of which 'virus proof' Ubuntu will handle for you from a clean install.

Edited by Master_Scythe
  • Like 1

Share this post


Link to post
Share on other sites

Thanks mate for all your advice ,mcaffee want to charge her to fix the problem,i have not tried to contact the hacker .the dickhead has only encrypted photos no bloody use to anyone els unles they have a flower fettish.

ps. Show her how to 'cold backup', or use AOMEI Backup Free, to "Backup on USB insert", so its automatic if she plugs a USB HDD in each week\month overnight I will have to google how to do this myself as i have no idea.

 

Yes think ill try linux mabe for her then she wont have any problems ,will she .


Thanks mate for all your advice ,mcaffee want to charge her to fix the problem,i have not tried to contact the hacker .the dickhead has only encrypted photos no bloody use to anyone els unles they have a flower fettish.

ps. Show her how to 'cold backup', or use AOMEI Backup Free, to "Backup on USB insert", so its automatic if she plugs a USB HDD in each week\month overnight I will have to google how to do this myself as i have no idea.

 

Yes think ill try linux mabe for her then she wont have any problems ,will she .

 

Do you have any idea how i can get her photos back and her pc back to normal please.

Share this post


Link to post
Share on other sites

Just WTH can Mcaffee do anyway? If the files have been encrypted and there's no key present to decrypt and the ransomware undoubtedly uses a unique key per infection then there is absolutely no recourse.

 

From what I've read, possibly some ransomware can be overcome with utilities but I've got my doubts in this instance.

  • Like 2

Share this post


Link to post
Share on other sites

hmmm yer i get it Rybags thanks for your help ,ill see what the hacker is asking as im not at the house where the pc is ill check it out in the next few days , i seem to recall it was bit coin,how the hell do you convert bit coin

Share this post


Link to post
Share on other sites

That earlier article mentioned a price which converted to something around $400. I imagine that's $US so you may as well assume $500+

 

You could pay the scum, but that's no guarantee you'll get your data back.

  • Like 1

Share this post


Link to post
Share on other sites

Yer to true mate i just read a good article that states about that price dam scum,think its a fresh install .

Cheers

Share this post


Link to post
Share on other sites

Really, I can't say go one way or the other. I'm about to go live soon with my new system although the bulk of my user data is on the 2TB HDD that I'll be moving across but I think I'll definately need to look into a better backup strategy than I have now, the current one being that I make a copy of certain files to an external a couple of times a year.

Share this post


Link to post
Share on other sites

As I said, normally when you pay, they do 'fix it' otherwise, why hold you at 'ransome'?

They ruin their reputation if they don't come through.

1/1000 paying because "yeah it works" is significantly better than 0 because word gets out "You pay, and they get nothing"

 

Considering it's been left so long, I doubt you'll be able to get them back. WITHOUT paying.

Normally, you can 'jump' into "shadow explorer" or something like that and grab an unencrypted Shadow Copy, but that tends to disappear if you shutdown or reboot, or just wait long enough.

 

 

There are a few things you can try.

http://www.trendmicro.com.au/free-tools-and-services/

First, is the

"Trend Micro Ransomware File Decryptor tool"

 

There used to be a cerberdecrypt.com, but at the time of writing it's down....

 

You just have to HOPE it's a v1 or v2 encryption, because they were using a standard key algorithm. Aka. they're decryptable.

 

Give the tool a try on one file, and see what happens.

PROBABLY best to do it form safe mode.

  • Like 1

Share this post


Link to post
Share on other sites

All good mate mum found an sd card with all the pics on so a fresh install of winblows 10 and shes set for the next one.No pics are worth paying nearly $500 as that wanker wanted Thanks again for your help everyone .

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×