Cerber ransomware & Files decryption

[konrado]

Hello. Hope you are fine.

I was victim of a ransomware called cerber
At one point I noticed the slowing down of my machine. Then I restarted it, thus interrupting the process. Always it is that it has succeeded to encrypt a good part of my data in form [random alphanum].b01e.
My question: Is there a way to reverse the process? Decrypt my data. If not, is there a way to bruteforce the encryption ? I know it can take a while but it's important.

[Aura]

Hi konrado

It looks like your files were infected Cerber v4/v5 (that appends a random, 4-digits, extension at the end of the files it encrypts). Sadly, there's no way to decrypt the files encrypted by this variant for free, so the best thing you can do is back up your files and hope that one day a free decrypter for that variant of Cerber will be released. For more information, I suggest you to follow this support thread on BleepingComputer.

https://www.bleepingcomputer.com/forums/t/606583/cerber-ransomware-support-and-help-topic-decrypt-my-files-htmltxtvbs/

[konrado]

OK. But is there a way to find the encryption method ?

I've notice that some of my mp3 of videos files can still be played with vlc with a few errors.

A friend told me that if the files was really encrypted, I could'nt play them with vlc. 

Is it possible that the virus has only mixed the contents of the files by following a certain algorithm?
So if someone can compare with a normal or hexadecimal text editor an encrypted version of a file and its unencrypted version and can determine a way to restore them?

[Aura]

Quote

OK. But is there a way to find the encryption method ?

The algorithm used to encrypt the files is known, however, without the private key, the encrypted files cannot be decrypted. So even if you know the algorithm, it won't make any difference.

Quote

I've notice that some of my mp3 of videos files can still be played with vlc with a few errors.

Were they even encrypted by Cerber?

Quote

Is it possible that the virus has only mixed the contents of the files by following a certain algorithm?

Cerber doesn't do that.

 

[konrado]

On 29/12/2016 at 2:44 PM, Aura said:

Were they even encrypted by Cerber?

Yes.

On 29/12/2016 at 2:44 PM, Aura said:

Cerber doesn't do that.

I know. But all the solution for cerber attack that I found did'nt work. Maybe they made an update that actually does not really encrypt all the files.

It's took almost 30 minutes to encrypt over 200 Go of data. I am not an expert but I think this kind of work need more time.

[Aura]

Quote

Maybe they made an update that actually does not really encrypt all the files.

They didn't. Cerber is a Ransomware that is covered from A to Z in the security community. If a small string was to be changed in the code, someone would Tweet about it, guaranteed. Also, Cerber doesn't completely encrypt big files. I suspect that the files you played in VLC are videos, right? Only part of them are encrypted, which means some frames will skip since they are encrypted (corrupt), but it doesn't mean that you can decrypt these because of that.

[konrado]

20 hours ago, Aura said:

videos

Videos and audio files.

20 hours ago, Aura said:

 but it doesn't mean that you can decrypt these because of that.

But I get the idea. It's just that some encrypted data is really important to me ...

[Aura]

I'm sure that data is important to you, I understand that. However, it isn't possible right now to decrypt these files for free, so there's nothing you can do. You can always try to scrub your system using tools like PhotoRec, Shadow Explorer, etc. to see if you can recover previous copies of your files before they were encrypted, but that's it.

[exile360]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.