Skip to content ↓ | Skip to navigation ↓

AVG security researcher Jakub Kroustek has recently discovered tracks of the Cerber 3 ransomware virus marking encrypted files with the .cerber3 file extension. Unlike previous variants of Cerber, for which decryptors have been already developed, this variant contains fixes that prevent malware researchers from decrypting the files.

Since this virus is a part of a RaaS scheme, its infections have risen rapidly over the past few months. In fact, malware researchers report that affiliates managed to reach 150,000 infected computers. July 2016 was one of the peak months for the Cerber variants, reaching up to $200,000 in monthly profit.

Each malicious campaign that distributes Cerber 3 is also reported to differ from its predecessors. For instance, Check Point malware researchers report that the highest impact regarding size and infections was on targeted computers that are located in Asia, more specifically China and South Korea.

To cause infections in those countries, the Cerber 3 ransomware used the Magnitude exploit kit which aims to detect weak points in a given operating system and exploit them, thus resulting in a successful attack.

After it has attacked a given computer, Cerber3 ransomware asks a ransom payment whose value is double that of the previous variant ($175 in BitCoin). This “request” is written in a ransom note that is published on a Tor-based web page aiming to scare users into paying the ransom:

“Your documents, photos, databases and other important files have been encrypted. To decrypt your files you need to buy the special software – <<Cerber Decryptor>>

“All transactions should be performed via Bitcoin network only.”

The message is accompanied by instructions on how to pay the ransom in bitcoin:

cerber decryptor

Q: What should I do if my computer is infected with Cerber 3 Ransomware?

A: In case your device has become a victim of this virus, you should immediately disconnect your computer from the internet and copy the encrypted files on a safe computer. From there, you can try to manually remove Cerber 3 and only then try to recover some of your lost data via a data recovery tool.

Q: How can I decrypt .cerber3 encoded files?

A: Cerber 3 is as impressive as it is devastating when it comes to file encryption. Its encryption module’s first action is to generate RSA 576-bit keys on the infected device. These keys are stored, and after successful encryption, they are used to decode and encode files. The decryption key for the encoded files is encrypted with the same cipher, but it is much stronger in bits – RSA-2048. The information for the decryption is then sent to the server of the cyber-criminals, who distribute the infection.

Unlike the keys, the encryption algorithm is RC4 (Rivest Cipher 4), the code for which leaked back in 1994. In size, this cipher may vary from 40 to 2048 bits. Cerber 3 is reported to use 128-bit key based on its advertisement. The algorithm is also known as a stream cipher, and many prefer it due to its fast encrypting speed (7 cycles per byte).

The worst part of it all is that each RC4 encrypted file generates its own key. For example, if you have 150 files, and they are encrypted, Cerber 3 will generate 150 unique keys. And this is not the bad news yet. The cherry on the cake is all of those keys are encrypted using the previously mentioned RSA-576 bit cipher.

This procedure immensely complicates the decryption process of files encrypted by this ransomware virus. It may take months if not years to decrypt one file and then more time to solve the riddle for the other files based on the initial information.

Q: How can I protect my files and my computer from Cerber 3?

A: To stay protected from Cerber 3, store your important files in a safe way. Also, download ransomware protection software to reduce the risk of a ransomware attack.


Vencislav KrustevAbout the Author: Vencislav Krustev has a degree in Marketing and Value Chain Management and is currently accomplishing the Cisco CCNA engineering course for network and system administrators. He is passionate about cyber-security and malware research, which is why he dedicated a great deal of his time to gain experience in the cyber-security field. You can find him at – a blog and a forum on cyber security and threats – where he is researching solutions against malware infections from morning till dusk.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • Amaroks

    I had to reset my PC to get rid off this bug.

  • rupak

    today my pc got infected with cerber3 virus.
    can any help me.I lost my all files…very sad day for me..

    • Bacon Hawk

      Delete your files and use a program to retrieve lost files from your hard drive. Just make sure to not bring back the cerber3 files.

  • Romit Malhotra

    My laptop got infected with cerber 3. Any solution to it?

  • Cihan Erdem

    hi, i can help you for your .enc and .encrypted files, if you need help please send me sample files with ransom note file (html or txt)

  • EH

    My laptop got infected, files have been encrypted with extension “.b522” I cannot find any decryptor software so far. Plz anyone can help?

  • Ayan

    I am affected by Cerber Ransomware 4.0.3. It has encrypted files on my system and the extension is .9b83. Please help me to decrypt the files.

  • Payal Mehta

    I am infected with Cerber Ramsomware with extension .bfb6……. Please help me to decrypt these files

  • Senthil Kumar

    I am infected with Cerber Ramsomware with extension .a8be……. Please help me to decrypt these files

  • Chris Osborne

    Also got infected. To recover your files you just have to pay the ransom. I lost my valuable files trying to decrypt on my own.

    Please just pay the ransom or have your system formatted. No free ware to recover your file.

  • How To Remove PC Virus
    Simple Steps To Delete Malware:-

  • CERBER RAN$OMWARE extension .becf , how to decrypt files??

<!-- -->