CERBER RANSOMWARE

[jmt356]

My file names suddenly and randomly turned into gibberish, such as:

BI3kD1SVmw.9074
-CX3nSIbso.9074
dDhYpnJ6Nz.9074

_READ_THI$_FILE_71KK4_.txt
_READ_THI$_FILE_QGXQN_.hta
VgalWp11MM.9074

Etc.

I found a text file from CERBER RANSOMWARE that appears to have been responsible for this. Has anyone encountered this before?

[stuck]

I've never been got by ransomware but it is a known issue, background reading here:
https://en.wikipedia.org/wiki/Ransomware

As far as I know the only fix for any sort of ransomware is to wipe your disk completely and then restore from a backup that is known to be free from the ransomware.

Ken

[Claude]

To learn a bit more about that specific ransomware, take a look here:

https://blog.malwarebytes.com/threat-an ... ut-mature/

[Claude]

While I can't guarantee that this will work (the ransomware may have changed since the video was produced), I'd give this a go before wiping your hard drive.

Video on how to remove cerber ransomeware.

[John Gray]

A charity I know got attacked with that.

I'm with Ken here - the quickest way out was for me to reinstall the offending (XP) PC, and restore back the shared drive whose files had been encrypted.

Luckily almost all the other PCs on the LAN were powered off at the time...

[jmt356]

I removed the program using Malwarebytes, but now I am having trouble restoring my files from my backup. Each time I mount the backup and try to copy my uninfected files into Windows, I get messages from Windows explorer telling me that the path would be too long. How do I get around this?

[StuartR]

Can you restore the files using the same backup software as you used to create them?

I am not sure that using Malwarebytes is enough. The general advice when you get infected with ransomware is to wipe ALL your disks and restore / reinstall everything.

[jmt356]

My backup was created with ShadowProtect. I am attempting to restore the files on that backup with ShadowProtect, but ShadowProtect mounts all of the files on a virtual drive and then I must copy and paste them from that virtual drive to my C drive. I am constantly getting errors because of the length of the file names and paths.

It seems my computer was infected yesterday, 19 Apr. 2017. Because I was having issues copying everything, I tried to restore my 16 Apr. image to my laptop. It restored successfully. But then after I had restored it and logged on to my computer, I ran Malwarebytes but it again found Cerber Ransomware.

It infected the external hard drive that hosted my SP backups before I was able to discover and stop the process and delete the Ransom.Cerber file at C:\Users\\AppData\Roaming\wNuhP.exe.

So now I have a computer that is functioning and that shows Cerber Ransomware has been removed, but I cannot be 100% sure, and I have no backups.

What is very strange is that I restored this same backup to another computer and ran malwarebytes, but it did not detect Cerber Ransomware. The only difference between that computer and this one is that on this one, I copied the most recent PSTs from my computer before doing the restore and then pasted them into the computer following the restore of the 16 Apr. image.

Could something in those PST files contain the infected files? If so, there would be no good in wiping all my disks and then starting from scratch and restoring my files because the very PSTs might be compromised.

[StuartR]

The only safe way to recover is to wipe the computer and then either reinstall Windows or restore an image backup.

[viking33]

The only safe way to recover is to wipe the computer and then either reinstall Windows or restore an image backup.

Does this latest junk get into an external HDD on USB? (my images)

[John Gray]

If the external HDD was connected/online when the Cerber ransomware was searching the system, the answer is probably Yes. But note that it is selective about the file types it encrypts.

[jmt356]

The only safe way to recover is to wipe the computer and then either reinstall Windows or restore an image backup.

This is, effectively, what I did. I restored a 16 Apr. image of the computer back to the infected computer (as part of the restore, SP wipes the hard drive). I also restored the image on to a second backup computer.

On the previously-infected computer, just before I wiped the disk and restored the image, I copied the most recent files that I had created or modified since the 16 Apr. image so that I could paste them on to the computer following the restoration of the 16 Apr. image. I copied those images to the same USB that contained the backup images.

After I completed the restore, I began copying the images from the external USB to the restored computer. Then, partway into it, I found a process that was encrypting the files on the external USB--Cerber Ransomware was still somehow operating on my system following the restore. I don't understand how that could have happened; the 16 Apr. image is clean; I restored it to a second computer and ran Malwarebytes and it did not find any malware.

It seems that somehow, when I was copying files from the infected computer to the external drive, the malware got on the external drive. I do not, however, know how it could have been activated to encrypt the files on the external hard drive; I understand Cerber Ransomware is activated through a macro in an email file attachment, which I did not open or activate.

Fortunately, I managed to restore the infected laptop just before the backups got encrypted. I then ran the following scans to ensure Cerber Ransomware was no longer on my restored system:

- Malwarebytes
- Super Anti-Spyware
- Sophos Clean
- Windows Defender

It appears now that the computer that was previously infected is now clear from any threat. I feel comfortable that Sophos Clean did not find a threat since that program is specifically designed to find ransomware, including Cerber, though their product Intercept X, which I don't have, is the more specialized software.

[jmt356]

The only safe way to recover is to wipe the computer and then either reinstall Windows or restore an image backup.

I have one more comment to Stuart's recommendation. It may not be possible to determine when an infection on one's system took place. Therefore, selecting which backup to restore could be tricky. The farther back one goes, the more likely he will choose a backup that is infection-free, but many of the files will not be available. The more recent one goes, the higher the chances that the infection will be in the restored image, but he will have more recent files.

The approach I took was to copy files from the infected system that had not yet been encrypted (e.g., my PST files, which Cerber could not encrypt because they were open while the infection was occurring) and to copy these files to the post-restored system so that I would have all my recent files. However, as mentioned above, this could have played a role in the fact that I still found Cerber in the post-recovered environment encrypting the files on my external hard drive. I may never know how that happened, but I believe my system is now clean.

I sincerely hope that justice will be brought to these cyber criminals for their extortion.

[jmt356]

I just scanned the external hard drive that contained the SP images with Malwarebytes, which found no threat. So I guess my theory of the malware somehow getting onto the external hard drive and executing itself thereon is off. Somehow, it must have gotten itself onto the computer to which the external hard drive was connected and then attacked the files on the external hard drive.

I deleted all of the corrupted/encrypted files off of the external hard drive and then wiped the external drive using CCleaner. Is it safe to conclude that that external hard drive is now free from threats? There are no contents visible on that drive, including when I set hidden files and folders to be visible.

[StuartR]

...
I deleted all of the corrupted/encrypted files off of the external hard drive and then wiped the external drive using CCleaner. Is it safe to conclude that that external hard drive is now free from threats? There are no contents visible on that drive, including when I set hidden files and folders to be visible.

This is a safe assumption, but only of you did this from a computer which was not infected at the time.

It wouldn't harm to reformat the drive, to remove the last vestiges of the MBR, which can contain code.

[jmt356]

It wouldn't harm to reformat the drive, to remove the last vestiges of the MBR, which can contain code.

Does CCleaner not do this? I was under the impression that my external drive is now 100% wiped.

[StuartR]

I don't think that CCleaner rewrites the MBR on a disk. Someone else may know better...

[viking33]

I don't think that CCleaner rewrites the MBR on a disk. Someone else may know better...

I agree. CCleaner does not re-write the MBR. An imager like True Image and others will create a new MBR when doing a restore, IF you select that option.

[jmt356]

Can I use ShadowProtect to rewrite the MBR of my external hard drive? I think there might be a tool in the recovery environment, to which I can boot my system, but I am not finding a wipe tool within ShadowProtect when launched after logging into Windows.

Will reformatting the external hard drive within Windows do the trick or will that just render it unusable?

[BobArch2]

Can I use ShadowProtect to rewrite the MBR of my external hard drive? I think there might be a tool in the recovery environment, to which I can boot my system, but I am not finding a wipe tool within ShadowProtect when launched after logging into Windows.

Will reformatting the external hard drive within Windows do the trick or will that just render it unusable?

Using the Recovery Environment bootable media, ShadowProtect can restore the MBR from either the backup image file or create a new one if restoring to a new hard drive.

There should not be the need to reformat the target drive as ShadowProtect with overwrite everything in the drive.

I am not sure which version of ShadowProtect you are using, ShadowProtect or ShadowProtect SPX. Here is a the StorageCraft link to get the appropriate documentation.