Jump to content

Cerber ransomware & Files decryption


Recommended Posts

Hello. Hope you are fine.

I was victim of a ransomware called cerber
At one point I noticed the slowing down of my machine. Then I restarted it, thus interrupting the process. Always it is that it has succeeded to encrypt a good part of my data in form [random alphanum].b01e.
My question: Is there a way to reverse the process? Decrypt my data. If not, is there a way to bruteforce the encryption ? I know it can take a while but it's important.

Link to post
Share on other sites

Hi konrado :)

It looks like your files were infected Cerber v4/v5 (that appends a random, 4-digits, extension at the end of the files it encrypts). Sadly, there's no way to decrypt the files encrypted by this variant for free, so the best thing you can do is back up your files and hope that one day a free decrypter for that variant of Cerber will be released. For more information, I suggest you to follow this support thread on BleepingComputer.

https://www.bleepingcomputer.com/forums/t/606583/cerber-ransomware-support-and-help-topic-decrypt-my-files-htmltxtvbs/

Link to post
Share on other sites

  • 2 weeks later...

OK. But is there a way to find the encryption method ?

I've notice that some of my mp3 of videos files can still be played with vlc with a few errors.

A friend told me that if the files was really encrypted, I could'nt play them with vlc. 

Is it possible that the virus has only mixed the contents of the files by following a certain algorithm?
So if someone can compare with a normal or hexadecimal text editor an encrypted version of a file and its unencrypted version and can determine a way to restore them?

Link to post
Share on other sites

Quote

OK. But is there a way to find the encryption method ?

The algorithm used to encrypt the files is known, however, without the private key, the encrypted files cannot be decrypted. So even if you know the algorithm, it won't make any difference.

Quote

I've notice that some of my mp3 of videos files can still be played with vlc with a few errors.

Were they even encrypted by Cerber?

Quote

Is it possible that the virus has only mixed the contents of the files by following a certain algorithm?

Cerber doesn't do that.

 

Link to post
Share on other sites

On 29/12/2016 at 2:44 PM, Aura said:

Were they even encrypted by Cerber?

Yes.

On 29/12/2016 at 2:44 PM, Aura said:

Cerber doesn't do that.

I know. But all the solution for cerber attack that I found did'nt work. Maybe they made an update that actually does not really encrypt all the files.

It's took almost 30 minutes to encrypt over 200 Go of data. I am not an expert but I think this kind of work need more time.

Link to post
Share on other sites

Quote

Maybe they made an update that actually does not really encrypt all the files.

They didn't. Cerber is a Ransomware that is covered from A to Z in the security community. If a small string was to be changed in the code, someone would Tweet about it, guaranteed. Also, Cerber doesn't completely encrypt big files. I suspect that the files you played in VLC are videos, right? Only part of them are encrypted, which means some frames will skip since they are encrypted (corrupt), but it doesn't mean that you can decrypt these because of that.

Link to post
Share on other sites

I'm sure that data is important to you, I understand that. However, it isn't possible right now to decrypt these files for free, so there's nothing you can do. You can always try to scrub your system using tools like PhotoRec, Shadow Explorer, etc. to see if you can recover previous copies of your files before they were encrypted, but that's it.

Link to post
Share on other sites

  • 4 months later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.