Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cerber Ransomware Support and Help Topic - CRBR Encryptor


  • Please log in to reply
1904 replies to this topic

#1891 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:59 PM

Posted 10 July 2017 - 05:11 PM

You're welcome.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


m

#1892 VOskar

VOskar

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Czech Republic
  • Local time:11:59 PM

Posted 10 July 2017 - 05:14 PM

Someone in this topic wrote that has private.key file (not PK file), but I don't know who and cannot found his/her message. Maybe she/he will read this and contact me. :D
The private.key file is for offline decripting, internet connection isn't needed, and contains specific key, other for all victim. You can get it if you have payed and contact developers of cerber that decripting program not work.
If anyone have it, please, contact me.
 
Edit:
OK, the PK file can also be.

Edited by VOskar, 10 July 2017 - 05:48 PM.


#1893 _mihaita

_mihaita

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 20 July 2017 - 01:51 AM

 

Someone in this topic wrote that has private.key file (not PK file), but I don't know who and cannot found his/her message. Maybe she/he will read this and contact me. :D
The private.key file is for offline decripting, internet connection isn't needed, and contains specific key, other for all victim. You can get it if you have payed and contact developers of cerber that decripting program not work.
If anyone have it, please, contact me.
 
Edit:
OK, the PK file can also be.

 

Posted by cristy_an on 29 August 2016 - 05:05 PM in Ransomware Help & Tech Support
I received the Checkpoint decryptor cerber12dec.exe from a user who was in that date on checkpoint site.
 
I received a key and a cerber1 file from another user.
 
The decryptor works in this case, but you need the privatekey, i think the decryptor is the same for every user, but u need the key.
 
I mention that every final cerber file has the same rows in my case, this could gave us to the particular key, but is encrypted.
 
I have two keys and those structure are almost the same, but the characters are diferent, exception on the middle where are a lot of AAA on both files.
 
Have a good day.



#1894 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:10:59 PM

Posted 02 August 2017 - 09:32 AM

Hello,

 

Unfortunately for the time being, there is no free decryption solution for files encrypted by the newest Cerber ransomware versions.

 

However, professionnal and business recovery data services exist. It requests a lot of hard work and it is expensive (between 2700 € to 7000 € for 7 days of decryption work and more if it is an emergency !). We are partner of Doctor Web and other major recovery data companies.

 

We have more than 80 % data recovery success rate for Cerber ransomware files.

Evaluation is free and there is no obligation quotes.

 

To submit a new case you have to prepare the ransom note and 3 or 4 encrypted files of type doc/xls/docx/xlsx/pdf/jpg with size around 1 mb and file the Doctor Web special form on our website here

 

Even if our website is in French (we are one of the French partner of Doctor Web), we support English request also.

 

Kind regards,

 

Emmanuel @ADC-Soft



#1895 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:10:59 PM

Posted 02 August 2017 - 09:34 AM


https://www.pixad.fr/drweb_ransomware/index.php#formulaire

#1896 nopermission

nopermission

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 17 August 2017 - 07:34 AM

What does it decrypt and what exactly does anyone know.

 

https://www.zonealarm.com/security/newcart.htm

 

https://www.pcmag.com/review/355010/check-point-zonealarm-anti-ransomware

 

https://blog.checkpoint.com/2017/08/15/zonealarm-anti-ransomware-earns-editors-choice-pc-magazine/

 



#1897 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:59 PM

Posted 17 August 2017 - 05:30 PM

It is a ransomware prevention tool that comes with a 30 day free trial, then costs a $1.99 per month/$2.99 per month for up to 3 computers.

Check Point ZoneAlarm Anti-Ransomware

...analyzes all suspicious activities on your PC. It detects Ransomware attacks, blocks them and immediately restores any encrypted files.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1898 nopermission

nopermission

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 17 August 2017 - 06:17 PM

Whether it is for an already encrypted compile or during an attack by Ransomwarе
If someone tries to share the excuse for the bad translation

 

https://ransomfree.cybereason.com/

https://www.pcmag.com/roundup/353231/the-best-ransomware-protection


Edited by nopermission, 18 August 2017 - 04:38 AM.


#1899 kenor4

kenor4

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 19 September 2017 - 03:21 PM

I found out what is going on here. TrendMicro's decrypted is for real Cerber (10_random_chars.cerber), but it is not real decrypter. It is able to "decrypt" only few types of encrypted files (pdf, zip, office documents, etc. files with known header or recoverable header), but decrypted files are not 1:1 image of the files before encryption.
The reason for that is that Cerber took up to 34 bytes from the header, replace them with random data, generates weak fast key and encrypts this information with generated RSA key. Then Cerber randomly choose few blocks (depends on the configuration file located in the resources of the cerber) and encrypts them with this weak fast key. This weak key can be exploited and guessed when you have all encrypted files, but it doesn't solve the whole problem, because 34 bytes from the header are still missing. These 34 bytes can be reconstructed or entirely omitted in several file types of course and that is how TrendMicro's decrypter for Cerber works.

I did run 2 test sets and it was able to "decrypt" only 7 files from 278.

 

It is posible reconstruct this 34 bytes in images files? => It is posible decrypt images by TrendMicro's decrypter?

I tried it and decrypt some files. But I can open them.

It is here another way how repair this images?

Thx.



#1900 aureliouch

aureliouch

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 19 October 2017 - 08:04 AM

I just readed this arcticle https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/ and was thinking: is this the path for the reveal of a final decrytor for Cerber???



#1901 Palmsbeach

Palmsbeach

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 26 October 2017 - 05:34 PM

Mi servidor de datos se encripto con un virus el cual encripto todos mis archivos a .cerber ademas que creo un usuario temporal para no utilizar nada de el, cree un disco de arranque con DLC y saque todos los archivos encriptados y el personal de la pagina https://www.certsi.es me ayudo, les mande mi caso a incidencias@certsi.es y en 4 días me mandaron la solución, que fue un archivo executable llamado Decrypt.exe ademas de un archivo que era el password y funciono. Este programa me descripto todos los archivos sin problemas.

 

El servidor lo tuve que formatearlo pero no perdí mis archivos.



#1902 proios

proios

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 27 October 2017 - 01:31 AM

Muchas gracias por la information. Yo tambien tengo mis archivos personales enscriptados a .cerber (version V1 de .Cerber ransomware). He intentado descriptarlos a traves del .exe de Trend Micro pero sin exito. He leido el mensaje anterior y he enviado un correo con un archivo de muestra a "incidencias@certsi.es". Como vivo en Grecia no sé si los de Certsi.es ayudan a personas fuera de España, pero estoy dendiente de su ayuda.

 

Muchas gracias por la information



#1903 44res

44res

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 27 October 2017 - 03:45 AM

I was infected with this virus in March 2016. Still no cure?



#1904 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:59 PM

Posted 27 October 2017 - 06:05 AM

Trend Micro released a Ransomware File Decryptor for victims of earlier Cerber v1 infections but it has limitations. BloodDolly explains wny the decrypter is not very effective. Unfortunately, there still is no known way to decrypt files encrypted by Cerber v2/v3 or newer v4x/v5x and CRBR Encryptor variants which use 10 random characters with a random 4 character hexadecimal extension (i.e. 1xQHJgozZM.b71c) without paying the ransom.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1905 samwiseOrgin

samwiseOrgin

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 02 November 2017 - 10:06 PM

Can anyone confirm whether payment page of the CRBR ransomware is still active and running? 

Lot's of report in Korea shows the victims can not even connect to payment page after both initial infection and after payment process.


Edited by samwiseOrgin, 03 November 2017 - 03:37 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users