What is CerBerSysLock ransomware? And how does it perform its attack?
CerBerSysLock ransomware is a file-encrypting Trojan that first emerged on the 7th of December this year. According to malware analysts, this ransomware threat is based on the Xorist ransomware as both of these programs use the XOR encryption algorithm in its encryption process. Aside from CerBerSysLock ransomware, there are also other ransomware Trojans that belongs to this group of ransomware such as the Blocked2 ransomware and the Zixer2 ransomware.
CerBerSysLock ransomware communicates with a new set of Command and Control or C&C servers and there is also a slight change in its encryption algorithm which prevents security researchers from cracking its code. During the encryption, it appends the.CerBerSysLocked0009881 extension on its targeted files. It then releases a ransom note named HOW TO DECRYPT FILES.txt which states the following text:
“Problem with your Files?
Don’t worry! Your files are SAFE!
Files are Backed up by our Service!
You need to buy Cerber Decryptor v5.0 updated 2017-November
Hi, I’am CERBER RANSOMWARE �
YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
The only way to decrypt your files is to receive the private key and decryption program.
Contact Email: [email protected]
Subject PRIVATE-ID: CerBerSysLocked0009881
!!! ANY ATTEMPTS TO RESTORE YOUR FILES WITH THE THIRD-PARTY SOFTWARE WILL BE FATAL FOR YOUR FILES. !!!
!!! IF YOU ATTEMPT TO RECOVER YOUR DATA WITH OTHER SOFTWARE THE RANSOMWARE WILL SE THIS ACTION.!!!
!!! AND WILL GENERATE ANOTHER CODE ON THE FILES THAT WILL BE IMPOSSIBLE TO RECOVER THEM BACK.!!!
!!!!!PLEASE NE REZONABLE!!!!!
!!! AND FOLLOW THE INSTRUCTION BY CONTACTING THE EMAIL ADDRESS ABOVE. !!!”
The ransom amount is currently unknown. Nevertheless, its ransom note states that the encrypted files can only be recovered with the Cerber Decryptor v5.0. Note that even though this ransomware introduces itself as the infamous Cerber ransomware, it is nothing but a copycat. Paying the ransom shouldn’t also be part of your options as there are numerous reports circulating that the victims of this ransomware were asked to pay a large sum of money for the decryption tool. The best thing you could do for now is to use whatever backup you have the encrypted files until a free decryptor is available.
How does CerBerSysLock ransomware distribute its malicious file(s)?
CerBerSysLock ransomware distributes its malicious files through spam emails where it attaches a document embedded with macro scripts that are used to download CerBerSysLock ransomware into the computer. In addition, this ransomware also uses fake updates and software in spreading its malicious files. Since it uses various distribution method you have to be careful in opening any email attachments especially if it looks suspicious. Moreover, in case you need to update your system, make sure you do so use a legitimate and secure source.
Follow the removal guide below to terminate CerBerSysLock ransomware from your computer.
Step1. Open the Task Manager by simply tapping Ctrl + Shift + Esc keys on your keyboard.
Step2. Under the Task Manager, go to the Processes tab and look for any suspicious-looking process which takes up most of your CPU’s resources and is most likely related to CerBerSysLock ransomware.
Step3. After that, close the Task Manager.
Step4. Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step5. Under the list of installed programs, look for CerBerSysLock ransomware or anything similar and then uninstall it.
Step6. Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step7. Navigate to the following locations below and look for CerBerSysLock ransomware’s malicious components such as HOW TO DECRYPT FILES.txt as well as other suspicious files and then delete all of them.
Step8. Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step9. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step10. Navigate to the following path:
Step11. Delete the registry keys and sub-keys created by CerBerSysLock ransomware.
Step12. Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if CerBerSysLock ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
It is important to make sure that nothing is left behind and that CerBerSysLock ransomware is completely removed using the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.