How to Remove Cerber Ransomware from Your PC (Updated)

Is your computer attacked by Cerber ransomware?

Have your personal files been encrypted by this ransomware?

Are you demanded to pay a ransom to get your files back?

Have you run out of ideas to remove this threat and decrypt your files?

If you are searching for effective solution to get rid of Cerber ransomware and get all the files back to normal, please read this article carefully and patiently. Or you can use the removal tool below to scan the ransomware on the infected system and remove Cerber virus without damage from your PC.


Nowadays, ransomware isn’t new for most PC users. For more than a decade, cyber hackers have been developing ransomware to extort money out of individuals, organizations and even governmental agencies. With time goes on, ransomware has evolved from simple scareware into what we now know as the terrible crypto-ransomware, which is a more advanced type of ransomware that encrypts users’ files, leaving them unaccessible unless the victims pay for the decryption key. Cerber ransomware is such a type of crypto ransomware.

Cerber virus has become one of the most dangerous and popular cyber threats in 2016. This fast-growing ransomware enables its creator to gain almost millions of dollars from about 200 different countries. Up to now, Cerber3 is the latest variant of this well-known ransomware while the earliest version of Cerber ransomware already been cracked by some security software such as Trend Micro. Check Point once provided decryption service for free on site. Unfortunately this service is not available and the decryption site is down now since the developer of Cerber ransomware added captcha system to the payment system as an enhanced security measure so as to prevent Check Point’s decryption. This decryption tool has been only available for one day before the maker of Cerber made it useless. There are also some ransomware decryption tools for Cerber2, but they often fail to decrypt the locked files most of the time.

What is even more frustrating is that there is still no a 100-percent effective way to recover files encrypted by Cerber3. By making use of leading exploit kits, this nefarious ransomware is easily distributed as a Ransomware-as-a-Service (RaaS) around the world.


How can Cerber ransomware get widely-distributed?

  • Spam Emails – Like other insidious ransomware, Cerber ransomware is mainly distributed via spam emails that contain malicious attachments. These attachments can be Microsoft Office or PDF documents. If users open such risky document, they may run the malicious macro and unknowingly download the ransomware on their PCs.
  • Corrupted Download Files – Besides, this ransomware may enter the targeted computers through illegitimate freeware or shareware. The ransomware’s malicious codes might have been injected into such seemingly safe software by the cyber hackers. If users are not careful enough and download the infected software off of the Internet, there is a very high possibility that their computers are attacked by this ransomware.
  • Malicious Links – This threatening ransomware also spreads through hacked websites. Some of victims get infected by Cerber ransomware when they click on some malicious links within the unsafe websites while others even directly download the ransomware upon they access the websites before they could click on anything.
  • Malvertising Ads – Cerber can also be found in malware-laden ads. We see online ads in various forms such as pop-up ads, flash ads and text every now and then while we are scrolling through web pages. However, not all ads from Internet are safe. Even you are browsing a reputable site, the ads on it could be harmful as they are hosted by third party and the ads can be infected by the ransomware. The malicious Cerber virus can make use of VisualBasic Script (VBS) and JavaScript to download Cerber from a command and control (C2) server.
  • Fake Update Notification – Your browser may pop up an emergency message asking you to upgrade your flash player or other programs. This kind of message is probably fake notification misleading you to click on insecure content in order to deliver Cerber rasomware to your computer.
  • Vulnerabilities in Unpatched Software and System – Cerber virus is able to scan and exploit security vulnerabilities on software especially on Adobe Flash Player, Java and some popular web browsers. It uses malicious exploit script or exploit kit to find any vulnerabilities on your computer and then infect the computer. Cerber ransomware infection can even disable security tools and firewall.

What will Cerber ransomware do after it is downloaded on your computer?

Here we want to mention a confused detail about this ransomware – it seems to attack computers selectively, more accurately, it chooses not to attack computers of users who live in these countries:

    Russia, Georgia, Kyrgyzstan, Azerbaijan, Armenia, Kazakhstan, Belarus, Turkmenistan, Moldova,             Uzbekistan, Ukraine, and Tajikistan.

After entering your computer, this ransomware will first check and see if you belong to the countries listed above; if so, it will give up the next action and delete itself from your PC. But if not, it will install itself on your computer and start to perform a series of malicious actions. It displays random error messages on your computer screen and restarts it in to Safe Mode with Networking. Once your computer is booted, this ransomware will configure itself to start automatically whenever you log into the Windows. Then, it reboots the computer again. But this time your computer will be booted into the normal mode. Cerber ransomware now starts its encryption process. It will thoroughly scan your computer system to look for important files and encrypt them using the complicated AES encryption algorithm. Soon enough, the names of the encrypted file will be replaced by some random characters, such as 2fQpGnj2-p, and their extensions will be all changed to .cerber.

Here are some examples of how the encrypted files look:

encrypted files

encrypted files

Here is a list of extensions targeted by the ransomware:

.wav, .wma, .db3, .pst, .sav, .save, .sql, .pwm, .rm, .safe, .srt, .nvram, .ogg, .ost, .mdb, .pcd, .pct, .pl, .potm, .nsg, .nsh, .odc, .odp, .oil, .pas, .sxg, .sxi, .sxm, .tex, .wallet, .wb2, .wpd, .x11, .x3f, .xis, .ycbcra, .rar, .rtf, .txt, .wab, .xls, .stm, .vbox, .vdi, .pps, .ppsm, .ppt, .pptm, .prf, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .3fr, .3pr, .docm, .dot, .wmv, .contact, .dbx, .doc, .docx, .jnt, .jpg, .mapimail, .msg, .oab, .ods, .pdf, .ab4, .cdf, .crt, .dac, .dbf, .dcr, .ddd, .design, .dtd, .fdb, .fff, .accde, .accdr, .accdt, .ach, .acr, .adb, .ads, .agdl, .ait, .dxg, .eml, .pptx, .psafe3, .py, .qba, .qbr, .kdc, .kpdx, .lua, .mdc, .mef, .mfw, .mmw, .mny, .moneywell, .mrw, .myd, .ndd, .nef, .awg, .back, .backup, .backupdb, .bank, .erbsql, .erf, .exf, .ffd, .fh, .fhd, .gray, .grey, .gry, .hbk, .ibank, .ibd, .kdbx, .config, .css, .csv, .db, .dds, .dwg, .dxf, .flf, .flv, .html, .idx, .js, .key, .ce1, .ce2, .pspimage, .mid, .mlb, .pab, .pdb, .eps, .fla, .flac, .fxg, .java, .m, .m4v, .max, .mov, .mp3, .mp4, .mpg, .obj, .odt, .pages, .blend, .fpx, .h, .iif, .indd, .php, .nyf, .odb, .odf, .odg, .odm, .orf, .otg, .drw, .dxb, .asp, .aspx, .asx, .oth, .otp, .xlr, .xlsm, .xlt, .xltm, .ibz, .iiq, .incpas, .jpe, .kc2, .xltx, .xlw, .act, .adp, .al, .bkp, .jpeg, .mos, .nd, .nsd, .kwm, .laccdb, .ldf, .lit, .7zip, .cdx, .cgm, .cr2, .accdb, .ots, .ott, .p12, .p7b, .p7c, .pdd, .pem, .plus_muhd, .plc, .pot, .bay, .dotm, .dotx, .avi, .bak, .cer, .cfg, .class, .qbw, .xlsx, .xml, .r3d, .st5, .st8, .md, .mdf, .zip, .1cd, .3ds, .std, .sti, .rw2, .sldm, .sldx, .svg, .tga, .wps, .xla, .xlam, .xlm, .aoi, .m3u, .mbx, .3g2, .3gp, .7z, .asf, .swf, .thm, .vob, .xlsb, .bdb, .bgt, .bik, .bpw, .sqlite3, .3dm, .nsf, .dit, .edb, .flvv, .gif, .groups, .aac, .ai, .arw, .cls, .cpi, .cpp, .cs, .sd0, .sda, .pef, .pfx, .ptx, .qbx, .qby, .raf, .rat, .raw, .rdb, .rwl, .rwz, .s3db, .qbb, .qbm, .sas7bdat, .sdf, .psd, .yuv, .pat, .say, .st4, .ns4, .nwb, .nx2, .nxl, .c, .cdr, .st6, .stc, .sxc, .sxw, .tlg, .wad, .xlk, .aiff, .bin, .bmp, .cmt, .dat, .potx, .ppam, .des, .dgc, .cdr5, .cdr6, .hdd, .hpp, .pif, .ppsm, .ppsx, .pptm, .ps, .cdrw, .log, .m2ts, .m4p, .mkv, .mpeg, .ndf, .png, .qed, .qcow, .qcow2, .rvt, .st7, .sqlitedb, .sr2, .srf, .apj, .asm, .cdr4, .dcs, .ddoc, .ddrw, .der, .cib, .craw, .crw, .djvu, .dng, .drf, .srw, .cdr3, .nk2, .nop, .nrw, .ns2, .ns3, .sqlite, .stw, .stx, .sxd, .csh, .csl, .db_journal, .dc2


Afterwards, Cerber ransomware creates several ransom notes on your desktop and in each folder that stores the encrypted files, in order to let you know what has happened to your PC and what you need to do. These ransom notes are named “# DECRYPT MY FILES #.html”, “# DECRYPT MY FILES #.txt”, and “# DECRYPT MY FILES #.vbs”. One of the ransom notes will be shown on your deskto, informing that your documents, photos, databases and other important files have been encrypted, and to decrypt them you should follow the instructions given.

A special thing should be mentioned that the “# DECRYPT MY FILES #.vbs” file contains VBScript, by executing which, you will hear your computer says that:

Attention. Attention. Attention. Your documents, photos, databases and other important files have been encrypted!

Here is how the ransom note looks:

ransom note

If you download and install the Tor Browsers, and open the appointed website, you will be asked to select your language as shown belew.


Once you select the language, you will see a page as follow:


This page provides detailed information on the payment: how much you need to pay, how to pay and what will happen if you don’t pay within the time limited. As you can see from the page above, to decrypt your files, you need to purchase a product called Cerber Decryptor within 7 days, or else the price will be increase from 1.24 bitcoins (about $517) to 2.48 bitcoins (about $1034).

Should you pay the ransom? It depends. If the encrypted files are extremely important for you and you must get them back, then, you can pay the ransom. By doing this, you can have a 50 percent chance of encrypting them. We say “50 percent”, because we don’t make sure whether the cyber hackers will really give you the decryption key once the ransom is paid. But if the files encrypted are not necessary for you, our suggestion is that you don’t pay the ransom. Actually, you can try removing the ransomware and find some ways to restore your files manually. Even if you fail, you won’t lose money. Once you succeed, you can regain your files. So, why not have a try?

How Can You Remove Cerber Ransomware?

To remove this ransomware, you have to clear all its traces from your PC. Usually, there is a common way for PC users to remove malware from their machines – performing a system restore. Truly, this method is effective for some malware; however, it may not work when your computer is infected Cerber ransomware. This is because this ransomware may first infect the restore points of the targeted system when it starts the attack so as to avoid being cleared from the computer.

A more helpful method to remove Cerber ransomware should be using an advanced anti-malware program that is able to detect and delete all malicious components of the ransomware from your PC. Here we recommend using SpyHunter. It is a powerful anti-malware program designed by Enigma Software Group USA, LLC, aiming to help PC users to deal with various kinds of malware threats. You can use this software to scan your whole system and get rid of Cerber ransomware from your computer after you get the scan results.

You can follow these steps to remove Cerber ransomware with SpyHunter:

Use a healthy computer to download SpyHunter-installer.exe.
Copy the downloaded file to the infected computer. Please use a removable disk that does not contain any important files as this portable hard drive might get infected by Cerber ransomware too.

Then, double-click the downloaded file.
SpyHunter-shortcut When a dialog box pops up as below, click the run button.


Select the language and click OK button.

select your language


Click CONTINUE to proceed, and keep following the setup wizards to install SpyHunter.


Accept the licence agreement and click the INSTALL button.


Now you can see that SpyHunter is being installed on your PC. Please wait for a while.


Once SpyHunter is successfully installed, click the EXIT button.


Then, SpyHunter will automatically run and the main screen looks like below. Click the Scan Computer Now button to do a full system scan.


SpyHunter now will start scanning the whole system for any existing threats.


When the system scan finishes, the scan result will be shown in a list. To remove all detected threats, just click on the Fix Threats button.

fix threats

Friendly reminder: If you are using the free version of SpyHunter, you need to first upgrade it to the registered version before you can fix the threats completely.

Alternatively, if you don’t want to pay any money for a product to remove Cerber ransomware, then you can try performing a system restore by following the manual guides below (Success is not guaranteed):

Windows7 iconFor Windows 7/Vista:

  • Click the Start menu and enter system restore into the search box. Then, click System Restore from the result list.

restore system_1

  • In the popup window, select the option of Recommended restore or Choose a different restore point (if the malware infection occurred earlier than the date of the Recommend restore , you need to choose the later option).

restore system-2

  • Then, you’ll be presented with a list of restore points you have created previously. If you want more options, check Show More Restore Points. Then, you can Select an acceptable restore point and click Next.

restore system_3

  • Confirm your restore point and click on FinishA dialog box will pop up and ask you to confirm that you really want to perform a system restore. If you’re sure to do so, click Yes. This will start the system restore.

restore system_4

restore system_5

  • Please wait while your Windows files and settings are being restored.

restore system_6

  • After the System Restore completes, please log into your account.

restore system_7

  • Then, you will see a dialog box as below once the desktop loads up.

restore system_8


windows_xp For Windows XP:

  • Log on to Windows as an administrator. And then click the Start button > All Programs > Accessories > System Tools, and then click System Restore.


  • The Welcome to System Restore page will pop up as below. Select the Restore my computer to an earlier time option, and then click Next.


  • The Select a Restore Point page will appear. Choose a bold date on the calender and select a proper system restore point in the On this list, click a restore point list, and then click Next.


  • A System Restore message may appear that lists configuration changes that System Restore will make. Then, click OK.
  • After the System Restore completes, your computer will be rebooted, and you will see a screen that contains information confirming that the system restore has been successfully done.

Windows8 iconFor Windows 8:

  • Right click the bottom left corner of your computer screen, and click Control Panel.

Control Panel

  • Locate view by and select Category. Find and click System and Security and then click System. In the open window, find and click on Advanced system settings.

restore system windows8_1

  • A small window will pop up. Under system Protection tab, click on System Restore.

restore system windows8_2

  • Then click Choose a different restore point.

restore system windows8_3

  • Now select a restore point and click Next.

restore system windows8_4

  • Click Finish.

restore system windows8_5

  • Click Yes when a small dialog box appears. Then the System Restore will start.

restore system windows8_6

  • When the System Restore is done, your computer will be restarted itself.

What You Need to Do to Prevent Being a Victim of Cerber Ransomware?

All web users should always be on the alert when using the Internet because it is difficult for most security software to detect Cerber as a serious threat on time and prevent it for the time being. To avoid becoming a victim of ransomware like Cerber, you need to remind yourself of some basic rules:

  • Back up your data regularly – This is the easiest way out. It is possible to restore your files by using a back-up copy created before your system get ransomware attack. Please make sure that you don’t back up your files to the same hard disk that Windows is installed on. It is strongly advised that you save your back-up files in an external hard-drive and disconnect it timely when you completely back-up, or these back-up files can also get encrypted if you have the external hard-drive connected when Cerber hits your system.
  • Ensure that your operating system and software are properly patched and up-to-date – Since Cerber can penetrate into the system via flaws on the system and software, this measure is at least helpful with defending against exploit kits that deliver the ransomware payload to the system. Cerber can easily compromise any vulnerable system.
  • Pay attention to your online behaviors  Don’t open unexpected email attachments, click suspicious links, access unfamiliar websites or download something from untrusted sources.
  • Disable Macros in Microsoft Office –  Users are also encouraged to disable Macros in their Microsoft Office software suite as Cerber ransomware once targeted users of Office 365 with the help from macros. At least 57 percent of all Office 365 users received phishing attempts that delivered the Cerber ransomware.

Installing a powerful anti-malware program with the latest version is the most important way to prevent your PC from getting malware attack. I dare not say that an anti-malware program can 100% protect your computer against ransomware infection, but at least it can prevent access to malicious websites hosting ransomware variants, and even detects and deletes ransomware variants found in your comuter system.

Further decryptors for Cerber and its variants may be developed available some day, so please remain vigilant and often check the Internet for any updates.

Do you still have no idea about which anti-malware program to choose?

If you don’t want to pay the ransom, SpyHunter will help you wipe out Cerber ransomware completely. To recover the files affected by Cerber, it is very important for you to remove the ransomware first from the system quickly. Now click the button below to download the Cerber remover  on your PC.

Download removal tool now


The following video offers a complete guide for Cerber Ransomware removal. You’d better watch it in full-screen mode!

Share Button