Readme.hta File Virus – Remove Cerber Ransomware

IT security circles got used to ransomware strains sticking to the tactic of adding particular strings to the names of affected files. For instance, Cerber has surfaced as a piece of ransomware that appends .cerber extension to the items affected. The modification of filename is not that critical. A real disaster happens to the file proper as its internal scripts undergo military-grade encryption.

cerber-readmehta-virus

Nevertheless, the suffix added at the end of the file, typically after its native extension, provides important information. It helps to distinguish between the strains of ransomware.

Cerber has broken this informal rule. Its fresh version does not assign a stable suffix. It creates random strings assigning each file with a unique extension. Additionally the ransom note is presented as Readme.hta file now. In all other features the release remains true to the Cerber ransomware family.

The infection seems to come from Russia. It is available at a range of Russian forums. Black hat hackers distribute it on affiliate terms. They are not restricted in terms of the propagation methods.

However, most of the infecting cases resort to spamming. A victim is supposed to open the email and download the attachment. It is good to keep macro disabled by default to avoid the ransomware automatic installation upon opening the infecting attachment.

After its installation, the virus collects basic information on the computer configuration. It detects computer IP. If that belongs to any of the former Soviet Union Republics, the ransomware does not execute its payload. Cerber tries to detect security software installed and attack such programs. It also tries to disable Shadow Volume Copies.

Having completed the above preliminaries the ransom virus proceeds with its actual payload. Scanning would start by extension to exclude very few categories of data. The action aims at avoiding critical system files. They need to remain functional. Otherwise, the system cannot run. The ransomware needs an operating system to keep on running in order that the victims would read the ransom note. The latter is available in several formats and in every folder that contains encrypted data.

Cerber also replaces the desktop background with its notice of extortion – Readme.hta. The message dropped into the computer is a first stage of the communication. It invites the victims to the payment page and instructs them to use TOR browser for further interaction with the ransomware. The payment page indicates payment method and amount. It forces the user to pay in bitcoins and states the initial amount is to double each seven days.

There are some workarounds enabling the victims to recover their data after the ransomware attack. Please note it is critical to remove Cerber ransomware that assigns random extensions to affected files. Further parts of this article explain the removal and recovery steps aimed at Cerber random extension ransomware.

Automatic removal of the newest version of Cerber ransomware

The benefits of using the automatic security suite to get rid of this infection are obvious: it scans the entire system and detects all potential fragments of the virus, so you are a few mouse clicks away from a complete fix.

  1. Download and install recommended malware security suite
  2. Select Start Computer Scan feature and wait until the utility comes up with the scan report. Proceed by clicking on the Fix Threats button, which will trigger a thorough removal process to address all the malware issues compromising your computer and your privacy.

Unlock files with ransom extensions encrypted be Cerber ransomware

Cerber represents a unique category of malicious software whose attack surface reaches beyond the operating system and its components, which is why removing the virus itself is a part of the fix only. As it has been mentioned, it encrypts one’s personal information, so the next phase of the overall remediation presupposes reinstating the files that will otherwise remain inaccessible.

  • Launch data recovery software

    Similarly to the rest of its fellow-infections, Cerber most likely follows an operational algorithm where it erases the original versions of the victim’s files and actually encrypts their copies. This peculiarity might make your day, because forensics-focused applications like Data Recovery Pro are capable of restoring the information that has been removed. As the virus further evolves, its modus operandi may be altered – in the meanwhile, go ahead and try this.

  • Take advantage of Volume Shadow Copy Service

    This technique is based on using the native backup functionality that’s shipped with Windows operating system. Also referred to as Volume Snapshot Service (VSS), this feature makes regular backups of the user’s files and keeps their most recent versions as long as System Restore is on. Cerber virus with readme.jta ransom note hasn’t been found to affect these copies therefore the restoration vector in question is strongly recommended. The two sub-sections below highlight the automatic and manual workflow.

  • a) Use Shadow Explorer

    Shadow Explorer is an applet that provides an easy way of retrieving previous versions of files and folders. Its pro’s include an intuitive interface where the computer’s entire file hierarchy is displayed within one window. Just pick the hard disk volume, select the object or directory to be restored, right-click on it and choose Export. Follow the app’s prompts to get the job done.Shadow Explorer

  • b) Use file properties

    Essentially, what the above-mentioned Shadow Explorer tool does is it automates the process that can otherwise be performed manually via the Properties dialog for individual files. This particular approach is more cumbrous but just as effective as its software-based counterpart, so you can proceed by right-clicking on a specific file, which has been encrypted by Cerber ransomware aka Readme.hta file virus, and selecting Properties in the context menu. The tab named Previous Versions is the next thing to click – it displays available versions of the file by date of the snapshot creation. Pick the latest copy and complete the retrieval by following the prompts.Previous Versions

  • Data backups work wonders

    Ransomware like Cerber isn’t nearly as almighty and destructive in case you run regular file backups to the cloud or external data media. The virus itself can be completely removed in a matter of minutes, and the distorted information can then be just as easily recovered from the backup. Luckily, this is a growing trend, so ransom Trojans are hopefully going to become less subversive in the near future.

Verify thoroughness of the removal

Having carried out the instructions above, add a finishing touch to the security procedure by running an additional computer scan to check for residual malware activity

No ratings yet.

Please rate this

Leave a Reply

Follow Us:

Surf Spy

Surf Spy is an invisible tool that monitors the Internet activity on your computer. It captures the link of every visited web site. Read more >>

Bluescreen Screensaver

Bluescreen Screensaver will simulate the Windows Blue Screen of Death for your operating system. Read more >>

Farsighter

Farsighter monitors a remote computer invisibly by streaming real-time video to a viewer on your computer. Read more >>