Skip to content ↓ | Skip to navigation ↓

A new and improved version of the infamous Cerber Ransomware has emerged. Among other things, it changes the affected users’ file extensions into .Cerber2, thus the name.

The first reports of Cerber2 Ransomware emerged yesterday, with additional details coming in by the minute. Apparently, the new extension is not the only change that awaits unfortunate victims of this newest online threat.

Generally, Cerber2 works and behaves like its predecessor and much like any other present day ransomware does. After gaining access to the victim’s device, the ransomware virus uses strong encryption to encrypt the targeted files and make them virtually inaccessible. A “ransom” note will then be posted on the user’s desktop, explaining the crime in details and demanding a payment in Bitcoins in exchange for a decryption key.

Now, here lies one of the biggest changes between the Cerber Ransomware and the new and improved Cerber2 version: the virus has “migrated” from employing the AES-256 cypher and instead now uses Microsoft’s CryptGenRandom as its primary encryption technique, thus rendering any previous successful attempts at the decryption of the .Cerber files obsolete.

The new ransom note now reads as follows:

“Your documents, photos, databases, and other important files have been encrypted! If you understand the importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.”

The message is followed by a list of Tor web addresses, while the demanded ransom payment remains 1.24 Bitcoins or roughly $500 of victims’ hard-earned money.

We encourage you to be extra vigilant while browsing the internet and follow some basic but necessary precautions. If you have been unlucky enough to become one of the already numerous victims of the Cerber2 Ransomware, we strongly urge you to take your time and not fall victim to some rash decision making.

It is definitely not a good idea to give in to the ransom demands. Not only there are absolutely no guarantees that you will indeed receive the key even after sending the Bitcoin payment, but you would also be essentially funding the cyber criminals and their future “endeavors.”

Right now, there’s no known way to decrypt the .Cerber2 files but there is always hope, so stay strong and look for future news on the topic.


daniel sadakovAbout the Author: Daniel Sadakov has a degree in Information Technology and specializes in web and mobile cyber security. He harbors a strong detestation for anything and everything malicious and has committed his resources and time to battling all manners of web and mobile threats. He has founded, a website dedicated to covering the top tech stories and providing useful tips for the everyday user, in an effort to reach and help more people.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.