Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cerber Ransomware Support and Help Topic - # DECRYPT MY FILES #.html/.txt/.vbs


  • Please log in to reply
1837 replies to this topic

#1 God-father

God-father

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 27 February 2016 - 06:26 AM

Hi all,

 
Yesterday,my laptop got infected with virus that encrypt my files one by one. It happened when i was connecting to wifi hotspot and browsing to general website and suddenly it redirected to commercial website which i really didnt want to open. So when i closed the tab,suddenly all my application shutdown and finally my laptop got restart. So when it booting up, my files began encrypt with .cerber extension. Here i attach the capture of my files
 
 
 


55qwwy.jpg
 
 
 
30holsm.jpg

 
 
 
 
and also here i attach .the capture of .exe in appdata
 
2wd6c91.jpg
 
Please help me because it infected almost to my important files. Please help to clean the virus and how to decrypt all my files.
 
Thanks alot before master.


Edited by xXToffeeXx, 17 August 2016 - 03:02 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 47,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 AM

Posted 27 February 2016 - 07:20 AM


I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.
 


Edited by xXToffeeXx, 29 June 2016 - 04:05 PM.
Removed link to upload files since we no longer need cerber files~

.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 5,918 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:13 PM

Posted 27 February 2016 - 07:23 AM

Hi God-father,
 
Please upload that executable to the link in the above posted by quietman7, once we have the malware then we can look into it and hopefully find a solution to get your files back.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 razor92

razor92

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:13 PM

Posted 27 February 2016 - 10:22 AM

Can you share the binary with us? For further analyses. Thanks!



#5 God-father

God-father
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 27 February 2016 - 07:42 PM

Hi quiteman7 and toffee,

 

I have uploaded encrypted files and ransom notes to the above link, and FYI my folder option didnt show up so that i cant see any hidden files including Appdata and all folders inside it. Please advice. Thanks before.



#6 God-father

God-father
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 27 February 2016 - 11:29 PM

Hi all,
 
Based on your tutor above,i can access to temp data ,appdata,etc. I have captured all my findings and here i attach in my google drive folder.

 

https://drive.google.com/folderview?id=0B0KGL-hCEMbCcmpaUld0cFl3Yjg&usp=sharing

 

And also,i didnt find any .exe which malicious but i found malicious .exe (upnpcont.exe) in my cmd and i check to those folder,the upnpcont.exe didnt exist.

 

 

mt3s51.jpg

 

Please advice,those some my important files which get infected and i really need in next week and i just curious,why not all my data get infected,is it happen because the trojan (upnpcont.exe) didnt exist anymore or what? and fyi,i have antivirus in my laptop,an there arent any quarantine files in there.

 

Thanks alot before

 



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:13 AM

Posted 27 February 2016 - 11:44 PM

If you open the "# DECRYPT MY FILES #.vbs" with Notepad, does it look like it has the same contents as the .txt version? I find that really curious that they drop a vbs script as a version of the ransom note.
 
This is definitely very new, and there may not be much that can be done until the malicious file itself is caught and analyzed. I've only found on reference to a this ransomware on a French website posted tonight.
 
https://forum.malekal.com/fiche-cerber-crypto-ransomware-t54561.html

 

 

English translation below.
 

Cerber is Crypto-Ranwomare (ransomware encryptors files) appeared late February 2016 and for Windows operating systems. 

Ransomware will modify extensions encrypted files in .cerber and remove the following files 
# DECRYPT MY FILES # .txt 
# DECRYPT MY FILES # .html 
# # .vbs DECRYPT MY FILES 

containing payment instructions through the TOR network. 
You must buy the Bitcoin Cerber Decryptor. 

Here is the page with the instructions to purchase the Cerber Decryptor: 

Ransomware_Cerber_Decryptor.png

 

 

I would suggest running MalwareBytes and HitmanPro to see if they catch any malicious executables, hopefully one is the virus that encrypted the files.


Edited by Demonslay335, 27 February 2016 - 11:48 PM.

Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#8 God-father

God-father
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 28 February 2016 - 12:45 AM

Hi demonslay,

 

Thanks before for you concern. I have uploaded all files to the link that have been shared by Quiteman7 and i afraid to open that .vbs files. Maybe moderator quiteman7 or toffee can give their analyse regarding those files. Ok i will install malwarebytes in my laptop soon.



#9 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:13 AM

Posted 28 February 2016 - 01:58 AM

If you open the file in a text editor such as Notepad, it will not execute; it will simply show you the contents of the file.  It's imperative that you "open" or "edit" it in a text editor rather than "run" or "execute" the file.  If you're comfortable doing so, simply submit thhe files and let the pros handle it.

 

If you could wrap up all of the files you've located and compress them into a ZIP or RAR archive, then upload them to Mega, and send me the direct (download) link, I would be more than happy to analyze the files and provide you (as well as BC) with my findings.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#10 God-father

God-father
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 28 February 2016 - 02:00 AM

Hi all,

 

I have scan with malwarebytes but there is nothing i can find.

 

When i use hitmanpro,i capture these :

 

bfjscz.jpg

 

There is upnpconf.exe has been detected but when it doesnt exist anymore in folder location.

 

Please advice.



#11 MalwareBlocker

MalwareBlocker

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Everywhere
  • Local time:05:13 PM

Posted 28 February 2016 - 02:14 AM

If you open the "# DECRYPT MY FILES #.vbs" with Notepad, does it look like it has the same contents as the .txt version? I find that really curious that they drop a vbs script as a version of the ransom note.

Content of the VBS:

speech-vbs.jpg

This is definitely very new, and there may not be much that can be done until the malicious file itself is caught and analyzed. I've only found on reference to a this ransomware on a French website posted tonight.

https://forum.malekal.com/fiche-cerber-crypto-ransomware-t54561.html

Yes. We are all searching for a sample, nothing yet.
 

There is upnpconf.exe has been detected but when it doesnt exist anymore in folder location.

If it was set to run with Windows, I don't think it deleted itself.
Is there anything left in that folder, or it is empty?

Edited by Grinler, 01 August 2016 - 04:31 PM.


#12 God-father

God-father
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 28 February 2016 - 02:28 AM

Based on capture in hitman pro software,do you think i should repair the upnpcont.exe to get those exe again so that i can send to these thread?

 

and also i have uploaded all files regarding to these case to my google drive,here you can analyse these files.

 

https://drive.google.com/open?id=0B0KGL-hCEMbCRTFuNVh6RUNGd0E

 

Appreciate and thanks before for support.


Edited by God-father, 28 February 2016 - 03:34 AM.


#13 God-father

God-father
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 28 February 2016 - 02:33 AM

If you open the "# DECRYPT MY FILES #.vbs" with Notepad, does it look like it has the same contents as the .txt version? I find that really curious that they drop a vbs script as a version of the ransom note.

Content of the VBS:
speech-vbs.jpg

This is definitely very new, and there may not be much that can be done until the malicious file itself is caught and analyzed. I've only found on reference to a this ransomware on a French website posted tonight.

https://forum.malekal.com/fiche-cerber-crypto-ransomware-t54561.html

Yes. We are all searching for a sample, nothing yet.
 

There is upnpconf.exe has been detected but when it doesnt exist anymore in folder location.

If it was set to run with Windows, I don't think it deleted itself.
Is there anything left in that folder, or it is empty?

 
Hi malwareblocker,
 
the folder is empty even i have enable show hidden file but based on my last post,it still capture with hitmanpro but they said it doesnt exist and can be repaired regarding there are repair button. please advice

#14 MalwareBlocker

MalwareBlocker

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Everywhere
  • Local time:05:13 PM

Posted 28 February 2016 - 02:40 AM

Based on capture in hitman pro software,do you think i should repair the upnpcont.exe to get those exe again so that i can send to these thread?

 

and also i have uploaded all files regarding to these case to my google drive,here you can analyse these files.

 

https://drive.google.com/open?id=0B0KGL-hCEMbCLWNVcEJBZUswcE0

 

Appreciate and thanks before for support.

Repairing won't give you the file back. It is just for removing the startup entry.

You said in a reply, that you are using an antivirus. Please check the logs, if there is an entry about that folder (and files in it).

Also, can you try using a data recovery software, and see if it can recover that file?



#15 God-father

God-father
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 28 February 2016 - 06:26 AM

 

Based on capture in hitman pro software,do you think i should repair the upnpcont.exe to get those exe again so that i can send to these thread?

 

and also i have uploaded all files regarding to these case to my google drive,here you can analyse these files.

 

https://drive.google.com/open?id=0B0KGL-hCEMbCLWNVcEJBZUswcE0

 

Appreciate and thanks before for support.

Repairing won't give you the file back. It is just for removing the startup entry.

You said in a reply, that you are using an antivirus. Please check the logs, if there is an entry about that folder (and files in it).

Also, can you try using a data recovery software, and see if it can recover that file?

 

 

 

I've checked through antivirus quarantine,theres nothing. And i have tried using data recovery software and find these about upnpcont.exe :

 

akuxs7.jpg

 

But its in different location/partition with same name folder and its different date which the case occured. is it the correct .exe? because i didnt find any .exe regarding to these case






6 user(s) are reading this topic

0 members, 6 guests, 0 anonymous users