My pc got hit by Cerber Ransomware. Please help Q.Q

[hoangvan125410]

Hi everyone, so about 2 days ago, my pc was attacked by Cerber Ransomware. After running window defender and Microsoft malicious software remover tool. I believe i have removed the virus. But my files are still being encrypted. How can i decrypt it? Please help. thanks for reading.

[proud greek]

if have access inside windows download kaspersky if not you cant realy do anything only format  correct me if im wrong

[robotprobot]

You can't decrypt them. Hopefully you (and you should!) have a backup you can restore the files from.

Also please run malwarebytes to make sure its deleted, because they have updated the definitions to find it now.

[hoangvan125410]

1 minute ago, proud greek said:

if have access inside windows download kaspersky if not you cant realy do anything only format  correct me if im wrong

i'm actually running it right now.

[Djole123]

Well, you have to pay the ransom.

Once encrypted, there is no way of decryption by normal desktop computer. Not even FBI can decrypt the files, only the ones who encrypted them.

[robotprobot]

Just now, Djole123 said:

Well, you have to pay the ransom.

Once encrypted, there is no way of decryption by normal desktop computer. Not even FBI can decrypt the files, only the ones who encrypted them.

It is not always recommended to pay the ransom because they may not stay true to their word.

Its also not the only option. If he has a backup, he should restore from that.

[hoangvan125410]

4 minutes ago, robotprobot said:

You can't decrypt them. Hopefully you (and you should!) have a backup you can restore the files from.

Also please run malwarebytes to make sure its deleted, because they have updated the definitions to find it now.

Q.Q Really, i have some important images and videos that i haven't backed up yet. the rest of it, i have a copy of it on my second hdd

[robotprobot]

1 minute ago, hoangvan125410 said:

Q.Q Really, i have some important image and videos that i haven't back up. the rest of it, i have a copy of it on my second hdd

Was the second HDD plugged in at the time? If so that may have been encrypted as well.

Do not plug it in until you are certain the virus is gone.

As I said, please still run malwarebytes and tell us if it finds anything.

[hoangvan125410]

1 minute ago, robotprobot said:

Was the second HDD plugged in at the time? If so that may have been encrypted as well.

Do not plug it in until you are certain the virus is gone.

As I said, please still run malwarebytes and tell us if it finds anything.

No my second HDD is offsite, i only use it when i need to back up. i usually back up my files like once a month.

[robotprobot]

1 minute ago, hoangvan125410 said:

No my second HDD is offsite, i only use it when i need to back up. i usually back up my files like once a month.

Ok, thats good, so you can restore the files in the past month, but you wont be able to get anything new back.

[proud greek]

damn realy even fbi cant decrypt the files? i dont think so they have the best hackers around the world

[robotprobot]

Just now, proud greek said:

damn realy even fbi cant decrypt the files? i dont think so they have the best hackers around the world

Hackers can't just decrypt files. The private key needs to be obtained, either by trying every combination that would take YEARS, or getting it from someone.

[proud greek]

1 minute ago, robotprobot said:

Hackers can't just decrypt files. The private key needs to be obtained, either by trying every combination that would take YEARS, or getting it from someone.

yea you are right damn i got hit by this type of virous once  i coudnt even load on windows at log screen i had a message and a link that i should pay to use my windows again and the funny part was i formatted my pc few mins before i got hit by that virous  

[hoangvan125410]

5 minutes ago, robotprobot said:

Ok, thats good, so you can restore the files in the past month, but you wont be able to get anything new back.

guess i should have a copy of the past image on my google drive. since i only have 16 images. so i thought maybe i'll get more then back up later and this happen =='

[Djole123]

Wait a second, did you try recovering the data by Recuva? If the files have been deleted they can be recovered.

[robotprobot]

1 hour ago, Djole123 said:

Wait a second, did you try recovering the data by Recuva? If the files have been deleted they can be recovered.

Thats unfortuantely not how the ransomware works.

Instead of replacing the files, it will encrypt the files already there. They wont be deleted.

[Djole123]

5 minutes ago, robotprobot said:

Thats unfortuantely not how the ransomware works.

Instead of replacing the files, it will encrypt the files already there. They wont be deleted.

Oh well. I did see somewhere that method of bringing back files, I will update the post if I find the link.

[robotprobot]

Just now, Djole123 said:

Oh well. I did see somewhere that method of bringing back files, I will update the post if I find the link.

I think it depends on the ransomware,

Im pretty sure this one doesn't replace the files but modifies the original.

[vorticalbox]

4 hours ago, robotprobot said:

Hackers can't just decrypt files. The private key needs to be obtained, either by trying every combination that would take YEARS, or getting it from someone.

The virus must contain the key if paying the ransom can decrypt the files.

[robotprobot]

2 minutes ago, vorticalbox said:

The virus must contain the key if paying the ransom can decrypt the files.

Normally the key is stored in a remote server until the person pays and then they (hopefully) hand over the key.

[vorticalbox]

4 minutes ago, robotprobot said:

Normally the key is stored in a remote server until the person pays and then they (hopefully) hand over the key.

ok so i have been reading up on the virus and it's rather lovely (beauty in destruction) but it turns out it creates a copy when encrypting and then deletes the original so recovery software should be able to recovery the files.

 

you can also use windows shadow copy (if you set it up) to restore previous versions of the file.

[robotprobot]

Just now, vorticalbox said:

ok so i have been reading up on the virus and it's rather lovely (beauty in destruction) but it turns out it creates a copy when encrypting and then deletes the original so recovery software should be able to recovery the files.

It does still depend on whether the ransomware has a extra ability to write zeros to the space in the hard drive to make it irrecoverable.

It all really depends on how sophisticated the ransonware is, and this is a really sophisticated one.

I may eventually just put it into a VM and pull it apart looking at the code.

[vorticalbox]

Just now, robotprobot said:

It does still depend on whether the ransomware has a extra ability to write zeros to the space in the hard drive to make it irrecoverable.

It all really depends on how sophisticated the ransonware is, and this is a really sophisticated one.

I may eventually just put it into a VM and pull it apart looking at the code.

Malwarebytes did a pretty detailed break down.

[Vanesse]

I found an updated article which mentions that the Trend Micro has released the File Decryptor tool to unlock encrypted files. Except for the Ransomware Decryptor of Kaspersky or doing a system restore, there could be a little hope.

[selihandevri]

drweb presents a service for this kind of ransomware so please try to contact them ,may be you can find a service near your location