How to Remove Cerber 4 Ransomware and Restore the Encrypted Files

Hi, my computer got infected by Cerber 4 ransomware and all my images and important files have got encrypted. I don’t want to pay the ransom as required, but have no ideas how to remove the ransomware and recover my files. Can you please let me know if there is any solution to my problem? Any help is much appreciated! Thanks!


Recently, the 4th version of Cerber ransomware, has been released that can kill database server processes and encrypt databases. Security experts from McAfee warn that the cyber criminals behind Cerber ransomware have begun to target businesses as well as individuals by encrypting their databases in an effort to earn more from their attacks.

Note: You should not follow the instructions given in the ransom note to buy the “Cerber Decryptor”, unless there are some special circumstances – for example, you must restore the data files instantly, or else you will suffer from more loss than paying the ransom. Under normal circumstances, we suggest that you first follow our guide to completely get rid of Cerber 4 ransomware from your PC and then try to find out an effective solution to resotore the encrypted files.




Review of Cerber Ransomware

(Skip this part and directly go to the removal guide)

Cerber is a relatively new ransomware that first appeared in March 2016, but it has already become one of the top 3 ransomware threats (two other threats are Locky and CryptXXX) used by the unscrupulous cyber criminals to extort money from computer users. This ransomware is changed and updated every few months. By September 2016, we have witnessed 3 different versions of Cerber ransomware being released and attacking tens of thousands of computers. Cerber is reported to have generated $2.3 million in annual revenue since it was launched. According to security researchers at Check Point, in July 2016 alone, Cerber had run 160 active campaigns and successfully infected over 150,000 users in 201 countries. It is estimated that these attacks generated $195,000 in that month – of which the ransomware developer gained approximately $78,000. The rest was given to the affiliates, based on number of successful infections and amount of ransom payments for each campaign.



Information about Cerber 4 Ransomware

(Skip this part and directly go to the removal guide)

Threat Name Cerber 4 
Type Ransomware ; Malware
Previous Versions Cerber Ransomware, Cerber 2 Ransomware; Cerber 3 Ransomware
 Main Changes Have Been Made Alter extensions of the encrypted files; Shift format of the ransom note from html from .hta; Mainly target databases of businesses
Target Operating Systems Windows XP, Windows 7, Windows Vista, Windows 8/8.1 and Windows 10
Distribution Methods Via exploit kits and malware scams
Behaviors Infect computers; Stop database processes; Encrypt important data & files; Demand a ransom payment.
Symptoms Databases stop abruptly; Databases are encrypted; Ransom note appears on the desktop
Threats Posed Failure to access certain data & files temporarily or permanently; Lose money
Removal Sulutions Perform system restore or download Cerber 4 Ransomware removal tool!

Cerber 4 ransomware is the 4th version of Cerber ransomware which is a type of malware used to attack people’s computers and encypt a variety of file types with the intention of demanding a ransom payment to decrypt these encrypted files. Like the previous versions, this version of ransomware continues to use the AES encryption to encrypt the victims’ files. But it has become more “matured” than the previous versions after being changed and improved. It is now mainly targeting businesses’ databases in hope of increasing the payment rate. Comparatively, in the cyber crimimals’ eyes, bussinesses are more likely to pay the ransom than individuals. For one thing, bussinesses always make a big money and they can easily afford the ransom; for another thing, businesses are the ones that typically run databases containing important & useful data – losing certain data files could bring destrustive effects – so most of them have to pay the ransom on all accounts.

When getting installed on a target computer, Cerber 4 ransomware will scan for the drives for any files that match certain file extensions. When it finds the matched file, it will encrypt them using the AES encryption. It is worth mentioning that this latest version can stop database processes running in a target system in order to encrypt the data files. The following are the file types encrypted by the ransomware:

.wab, .xls, .xlsx, .xml, .zip, .bay, .bdb, .bgt, .bik, .bpw, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .ce1, .ce2, .cib, .craw, .crw, .csh, .csl, .db_journal, .rvt, .st7, .stm, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .3fr, .3pr, .stx, .sxd, .sxg, .sxi, .sxm, .tex, .wallet, .wb2, .wpd, .x11, .x3f, .xis, .ycbcra, .yuv, .contact, .dbx, .doc, .docx, .jnt, .jpg, .msg, .oab, .ods, .pdf, .pps, .ppsm, .ppt, .pptm, .prf, .pst, .rar, .rtf, .txt, .laccdb, .ldf, .lit, .m3u, .mbx, .md, .mdf, .mid, .mlb, .mov, .mp3, .mp4, .mpg, .obj, .odt, .pages, .php, .psd, .pwm, .rm, .safe, .sav, .dc2, .dcs, .ddoc, .ddrw, .der, .des, .dgc, .djvu, .dng, .drf, .dxg, .eml, .erbsql, .erf, .exf, .ffd, .fh, .fhd, .gray, .grey, .gry, .hbk, .ibd, .ibz, .iiq, .incpas, .jpe, .kc2, .kdbx, .kdc, .kpdx, .lua, .mdc, .mef, .mfw, .mmw, .mny, .mrw, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .rwl, .rwz, .1cd, .3ds, .3g2, .3gp, .7z, .7zip, .accdb, .aoi, .asf, .asp, .aspx, .asx, .avi, .bak, .cer, .sd0, .sda, .sdf, .sqlite, .sqlite3, .sqlitedb, .mkv, .mpeg, .ndf, .nvram, .ogg, .ost, .pab, .pdb, .pif, .png, .qed, .qcow, .qcow2, .save, .sql, .srt, .swf, .thm, .vob, .wav, .wma, .wmv, .xlsb,3dm, .ab4, .accde, .accdr, .accdt, .ach, .acr, .adb, .ads, .agdl, .ait, .apj, .asm, .awg, .back, .backup, .backupdb, .rw2, .sldm, .cfg, .class, .config, .sr2, .srf, .srw, .st5, .st8, .std, .sti, .stw, .blend, .cdf, .cdx, .cgm, .cr2, .s3db, .sldx, .svg, .tga, .wps, .xla, .xlam, .xlm, .xlr, .xlsm, .xlt, .xltm, .xltx, .xlw, .act, .adp, .al, .bkp, .sas7bdat, .m2ts, .m4p, .css, .csv, .db, .dds, .dwg, .dxf, .flf, .flv, .html, .idx, .js, .key, .kwm, .gif, .ns4, .nwb, .nx2, .nxl, .nyf, .odb, .odf, .odg, .odm, .orf, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pdd, .pem, .plus_muhd, .plc, .pot, .pptx, .psafe3, .py, .say, .st4, .st6, .stc, .sxc, .sxw, .tlg, .wad, .xlk, .aiff, .bin, .bmp, .cmt, .dat, .dit, .edb, .crt, .dac, .dbf, .dcr, .ddd, .design, .dtd, .fdb, .fff, .fpx, .h, .iif, .indd, .jpeg, .mos, .nd, .nsd, .nsf, .nsg, .nsh, .odc, .odp, .oil, .pas, .pat, .pef, .pfx, .ptx, .ppsx, .pptm, .ps, .r3d, .hpp, .log, .qba, .qbr, .qbw, .qbx, .qby, .raf, .rat, .raw, .rdb, .groups, .hdd, .flvv, .qbb, .qbm, .aac, .ai, .arw, .c, .cdr, .cls, .cpi, .cpp, .cs, .db3, .docm, .dot, .dotm, .dotx, .drw, .dxb, .eps, .fla, .flac, .fxg, .java, .m, .m4v, .max, .mdb, .pcd, .pct, .pl, .potm, .potx, .ppam, .ppsm


Cerber ransomware will modify the encrypted files’ names and add a specific extension to them. In previous versions (Cerber, Cerber 2 and Cerber 3), encrypted files are named with random characters (e.g. Dsjvix2ffV) and marked with .cerber, .cerber2 and .cerber3 respectively. See the Figure 1 below.

Figure 1

encrypted files_2

However, this new version has moved on to a different extension format that all encrypted files are added a four-character extension which is based on the fourth segment of “MachineGuid” value of the HKLM\Software\Microsoft\Cryptography registry key. This means that the file extension added to the names of the encrypted files is now generated at random, and it will be varied in different infected computers. If the MachineGuid value is “c532903f-2a4d-3b46-96b3-d533804b3c2b”, the file extension will be “96b3”. See the Figure 2 below.

Figure 2

encrypted files_1

After the encryption, Cerber 4 ransomware creates a help file called README (see the Figure 3) in every folder. Double clicking on this file will open an HTML page named “Cerber Ransomware Instructions” as the Figure 4 below shows. This page tries to tell the victim that his files have been encrypted by “Cerber Ransomware” and the only way to get them back is to buy the special decryption software called “Cerber Decryptor”. Besides, it warns the victim that any attempts to restore the encrypted files with the third-party software will be fatal to his files. To purchase the decryption software, the victim is required to access his personal page via one of the links provided on the page.

Figure 3

readme file

Figure 4

cerber4 ransom note

The ransomware also displays a grayish and pixelated ransom message on the desktop. The content of this message is not exactly same with that of the “Cerber Ransomware Instructions”, but it expresses the similar meaning and provides several links for the victim to access his personal page, too. What should be pointed out is that, this ransom message has a difference from the previous ones that it directly mentions “Cerber Ransomware 4.1.1”, which makes the victim clearly know which type of ransomware is attacking his computer. See the Figure 5 below.

Figure 5

cerber 4 ransomware desktop-warning

When access the personal page, the victim will be shown more detailed instructions on how to decrypt the encrypted files. Like its other versions, Cerber 4 ransomware demands the victim to buy a piece of software called Cerber Decryptor to restore the encrypted files. The decryptor can be purchased at a special price of 1 bitcoin (about $607), if the victim makes the payment within 5 days. Beyond that time, the price will increase up to 2 bitcoins (about $1214). A countdown timer is provided on that page, reminding the victim that how much time is left for him to buy the product at a “preferential” price. See the Figure 6 below.

Figure 6


This is a common tactic used by Cerber ransomware to scare its victims into paying the ransom. To increase the payment rate, the cyber criminals also offer a service on the page that allows victims to upload and decrypt 1 file for free, making them believe that the “Cerber Decryptor” really can decrypt files. In summary, more victims pay the ransom, more money the cyber criminals behind Cerber 4 ransomware can make.


Has your PC got infected by Cerber 4 ransomware? Is this the first time that you encounter a ransomware threat? Are you wondering what you can do to minimize the loss? A highly recommended solution is to quickly perform a complete removal of Cerber 4 ransomware so that you can avoid other potential problems, like getting infected by other types of malware




How Does Cerber 4 Ransomware Spread?

(Skip this part and directly go to the removal guide)

According to Trend Micro, Cerber 4 ransomware is mainly distributed via exploit kits. Exploit kits are often used to spread various malware threats, so the use of exploit kits to spread Cerber 4 ransomware should not be a great surprise. Researches show that, three types of exploit kits have been confirmed to spread this ransomware. They are Magnitude exploit kit, RIG exploit kit and Neutrino exploit kit. These exploit kits are usually operated by some private entities and used to used in some malvertising campaigns for distribute malware threats. Generally, cyber hackers use the classic method of script injection to compromise legitimate websites and turn them into vectors for malware distribution. The injected script can redirect Internet traffic to multiple domains which have been hacked and used for domain shadowing. When Internet users visit these infected websites, exploit kits can exploit vulnerabilities to upload and execute malicious code on the users’ computers.


(Image source:

This ransomware is also spred through malware scams, mainly by use of spam emails that contain infected attachments. These attachments can appear to be detailed bills, payment history reports, e-tickets, receipts, or such like catchy things. Actually, these attachments contain malicious JavaScript objects or Docm macros. When users double-click on them, the ransomware executable will be automatically downloaded to their computer systems.



Most Frequently Ask Questions

(Skip this part and directly go to the removal guide)

Q: What should I do if my computer gets infected by Cerber 4 ransomware?

In case your computer has been attacked by this ransomware, it is suggested that you disconnect it from the Internet immediately. This can avoid the ransomware from running on your machine and doing some other malicious things. Then, copy the encrypted files to a healthy computer and try to find a way to decrypt them.

Q: Is it possible to remove Cerber 4 ransomware and restore my files?

Removing the ransomware is not an impossible thing. You can try two methods to achieve it. One is performing system restore, and the other is using an exclusive malware removal tool. We will give detailed steps to do that in this article. Resoring the encrypted files is a more complicated task. So far, there is no tool proved to be 100% effective in decrypting the files; however, this doesn’t mean that you don’t have any chance to get your files back. In this article, we will introduce several methods that possibly help restore your files.

Q: Shoud I pay the ransom and get my files back?

We suggest that you pay the ransom only in case of an actual emergency. Otherwise, it is advised that you first find some other ways to try restoring the files.



How to Remove Cerber 4 Ransomware from Your PC?


Usually, a common way for PC users to remove malware threats without using a tool is to perform system restore. Truly, this method is effective for some malware; however, it may not work when your computer is infected by a ransomware. This is because ransomware always first infect the restore points of a target system when it starts the attack so as to avoid being removed from the computer. So, we will offer another method that is more effective than the system restore, namely, running an exclusive malware removal tool to detect and remove the ransomware. Now you can follow the instructions below to delete Cerber 4 ransomware from your computer.

Method 1: Run SpyHunter to remove Cerber 4 ransomware.

Method 2: Perform system restore to remove Cerber 4 ransomware.

Method 1: Run SpyHunter to remove Cerber 4 ransomware.


What Is SpyHunter?
SpyHunter is a professional anti-malware program developed by Enigma Software Group USA LLC. With the advanced features, this program can provide the highest level of protection against the latest computer threats. SpyHunter is able to detect and clean many types of malware like viruses, rogue antivirus programs, ransomware, and fix other security related issues effectively.

Now you can follow these steps to get Cerber 4 ransomware remvoed with SpyHunter:

  • Copy the downloaded file to the infected computer and then double-click on its icon to run it. When a dialog box pops up as below, click the Run button.


  • Select your language and click OK button.

select your language

  • Click CONTINUE to proceed.


  • Click I accept the EULA and Policy and click the INSTALL button.


  • Now SpyHunter is being installed on your PC. Just for a few time.


  • Once SpyHunter is successfully installed on your PC, click the EXIT button.


  • Then, boot your PC into the Safe Mode. After you access the desktop, double click the icon of SpyHunter to launch  it. On its main screen, click the Scan Computer Now button to do a full system scan.


  • SpyHunter now will start scanning the entire system for any existing threats.


  • When the scanning is done, SpyHunter will show you all detected threats. Click  the Fix Threats button if you want to remove all found threats.

fix threats

  • After all threats are completely deleted from your PC, restart your PC.


Warm tips: If for some reason you cannot find any item related to Cerber 4 ransomware, we still suggest that you click the Fix Theats button to remove other detected threats. After being infected by the ransomware, some of your system settings could change, which lowers the security level. Under this situation, your computer system is very easy to be attacked by other types of malware and suffer from more unwanted problems. Hence, removing other malware threats is also an important thing that you need to do.



Method 2: Perform system restore to remove Cerber 4 ransomware.


System restore is a Windows feature that can help fix certain types of computer problems, like crashing, blue screen of death, and malware infections. If you want to try the system restore to clean Cerber 4 ransomware first, then you can follow the steps below to do it. In the following, we will show steps to perform system restore on a Windows 7 computer. For other OS versions, please visit here.

  • Click Start menu and type system restore into the search box. Then, click System Restore from the result list.

restore system_1

  • In the window that appears, select the option of Recommended restore or Choose a different restore point (note: if the ransomware infection occurred earlier than the date of the Recommend restore, you should choose the later option).

restore system-2

  • Then, you’ll be presented with a list of restore points you have created previously. If you want more options, tick the box labelled Show More Restore Points. Then, you can Select an acceptable restore point and click the Next button.

restore system_3

  • Confirm your restore point and click on FinishA dialog box will appear and require you to confirm that you really want to perform system restore. Click Yes button, and then the system restore will begin.

restore system_4

restore system_5

  • Please wait while your Windows files and settings are being restored.

restore system_6

  • After the system restore is completed, please log into your account.

restore system_7

  • Then, you will see a dialog box as below once the desktop loads up. Click on the Close button.

restore system_8


Have you successfully remove Cerber 4 ransomware from your PC after performing the system restore? If this method doesn’t work, why not turn to an exclusive malware removal tool instead? 



How to Decrypt and Restore Your Files?


It is said in the ransom note that the only safe way to decrypt your files is to buy the Cerber Decryptor. In fact, there are several methods to restore your data without paying the ransom. But before doing the data restoration, you need to make sure that the Cerber 4 ransomware have been completely removed from your PC. Otherwise, it will continue to decrypt your files after you make efforts to restore them. Now you can try the following methods to restore your data files. But please note that we do not guarantee that all below methods are helpful. If the data encrypted by the ransomware is very important to you, and you won’t allow any mistake or loss, then paying the ransom should be a better idea.


Method 1: Use the Backups

The first and most reliable method is to use the backup. But the precondition is that you make a backup of your files. If you have, you can easily restore your files from a backup.

Method 2: Use File Recovery Software

If you don’t have a backup of your files, the second method you can try is to use file recovery software. Many free data recovery programs are available that can help recover your accidentally deleted files.


Method 3: Use Shadow Volume Copies

Another method is to use Shadow Volume Copies. If the ransomware hasn’t deleted your shadow copies, it is hopeful that you restore your files with this method. See how to easily restore your deleted or modified files using Shadow Copies.

Method 4: Use a Decryptor Tool

If the above methods don’t work, the last solution is to try Kaspersky’s decryption tool and Trend Micro’s  ransomware file decryptor.

Please note that these tools are not specially created to decrypt the files encrypted by the Cerber 4 ransomware, so it may not be 100% effective and may only decrypt a small part of your files.



In conclusion, Cerber 4 ransomware is a highly dangerous malware threat that can attack your computer and encrypt your important files in order to demand a ransom. This ransomware uses AES encryption method to encrypt the files and it is hard for a general user to decrypt these files. Even an expert who has a good command of cryptography need a quite long time to break an AES encryption key. Therefore, there won’t be an effective tool created to decrypt the files encrypted by this ransomware in a short time. However, even though the situation is not optimistic, you shouldn’t give up. You need to do something for your computer and files, instead of just waiting worse things to happen. At least, you must make sure that your computer is not infected before you get your files back! We highly recommend that you get rid of Cerber 4 ransomware and try every possible way to restore your files. In this article, we have provided some guides for you and you can try following them. Now download a professional malware removal tool and prepare for the ransomware removal immediately!





Useful Tips for You:


Being infected by ransomware is a rather annoying thing, and we think you don’t want to get the infection and be threatened once more. Therefore, you need to do something to protect your PC and important files.

1. Make regular backups of your important files. This can avoid you from being threatened by the ransomware. You’d better place your backup on hardrives USB hard drives which are not connected to your computer or the Internet.

2. Be cautious when suring online. Do not open unknown email attachments or click on any suspcious links. Besides, you should avoid visiting unsafe websites. You know ransomware often spreads via spam emails and malicious sites.

3. Keep your antivirus/anti-malware programs, web browsers and other software up-to-date. Ransomware can exploit vulnerabilities found on your PC to attack your system.

4. If you don’t have an antivirus/anti-malware program installed on your PC, you’d better isntall one such as SpyHunter which can protect your PC against all types of malware, including ransomware.



You May Also Be Interested in These Posts:

Instructions to Remove Kangaroo Ransomware
How to Restore Files Encrypted by Crypz Ransomware? (Ransomware Removal)
Encrypted With .zepto? – Zepto Ransomware Removal Guide
How to Recover system after Mischa and Petya Ransomware Attack
Information About Jigsaw Ransomware – How to Remove Jigsaw Ransomware?
Instruction to Remove CTB Locker Ransomware
Know about TeslaCrypt & Remove TeslaCrypt Ransomware
What Can You Do Once Your PC Is Infected by CryptoWall 4.0 Ransomware?


The following video offers a complete guide for Cerber 4 Ransomware removal. You’d better watch it in full-screen mode!

Share Button