How To Remove Cerber Ransomware Virus And Decrypt Files

Cerber is one of the most popular ransomware viruses. It is different from other malware since it has been updated numerous times and has many versions. It utilizes many different methods in order to continue spreading and is also available as “ransom as a service”, meaning that anybody can create their own version and distribute it by sharing a portion of profits with the original creators.

The virus encrypts your personal files and asks for a BitCoin payment in order to make them usable again. Cerber prioritizes the files by their popularity meaning that it tries to encrypt the ones you use the most first. Once the files become encrypted they start bearing a new extension given by the virus. Depending on the ransomware version, the extension can be .cerber, .cerber2, .cerber3 or a random one, for example .1v6e, .c4w7 and similar.

Cerber also creates ransom notes named “_HELP_HELP_HELP_“, “_README_” or “# DECRYPT MY FILES #” and changes the desktop background (the earlier versions displayed a green text while the updated one switched to white text on red background). One of the most distinctive features is that the virus also creates a “.vbs” file and it plays an audio message saying “Your documents, databases and other important files have been encrypted!” when launched.

This ransomware is a very dangerous virus and has infected a lot of computers during the years of operation. The best way to prevent this infection is to use a proper antivirus software. However, if you have been already struck by Cerber, we strongly discourage you from paying the required ransom to the creators. You should try recovering the files yourself as some versions are decryptable.

Before recovering the files, you need to remove the virus completely. We have an automatic removal and protection tool available as well as a manual guide for experienced Windows users. You are still strongly advised to secure your PC after the removal process. Therefore, we recommend simply using the automatic tool.

Recommended Method: Download Cerber Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Cerber ransomware?

Cerber has been attacking computers for over a long time already. What allows it to stay dangerous are constant updates. Some earlier versions even disclosed the versions number (e.g. 5.0.1) while the newest ones started to hide it. The virus creators make sure to fix their mistakes in the code and make the ransomware stronger every time. This is why current versions are still not decryptable even though virus researchers managed to find keys for the first ones.

The operation methods are similar to what other such malware uses. The virus infiltrates the computer, creates a list of targeted files and starts encrypting them in the background. When finished, ransom notes are shown, original file copies are deleted and it becomes impossible to access your personal data. The ransom is requested to be paid in BitCoin and the victims are promised to receive a decryption key.

The ransom notes can have several names including “_HELP_HELP_HELP_“, “_README_” or “# DECRYPT MY FILES #” and various extensions including “.hta“, “.txt“, “.html“, “.jpg” and a less popular one: “.vbs“. The last one also plays an audio message stating that all files have been encrypted:

The ransom note usually starts with the following text:


Cannot your find the files you need? 
Is the content of the files that you looked for not readable? 
It is normal because the files’ names, as well as the data in your files have been encrypted. 
Great!!! You have turned to be a part of a big community #CerberRansomware.

Cerber then provides a long description of itself and instructs you to visit the payment site and make a BitCoin payment.

This ransomware does not have a single distinctive distribution method. It uses email spam and either sends attachments or redirects to malicious links with the infection. It can also use exploit kits, be attached to other files and infect websites in order to target their visitors. The methods change with each update. Also, since this virus works as “Ransomware as a Service” it can be distributed by anybody and it is very hard to track the process.

The payment versions is also being constantly updated. It is hosted on a TOR server, has payment instructions, support section and allows you to decrypt one file for free. This is done in order to convince as many victims as possible to pay the ransom.

The virus has most likely been developed in Russia. It also skips this and several other countries (Azerbaijan, Armenia, Georgia, Belarus, Kyrgyzstan, Kazakhstan, Moldova, Turkmenistan, Tajikistan, Uzbekistan, Ukraine) and does not infect the computers if the users are their residents. Despite the country of origin, it has already been translated to many languages including English, German, Spanish, French, Chinese, Japanese, Portuguese, Polish, Italian, Turkish and more.

We strongly discourage you from paying the criminals any money. Even though they promise to provide you with the decryption key there still might be other vulnerabilities left after you recover the files. The virus creators might target your computer in the future again since they will see you as a paying victim. Instead, you should follow our guide and remove the threat completely, then try to recover your files.

We have an automatic removal and protection tool listed at the beginning of this page. It will not only eliminate the ransomware but will also protect your system from similar threats in the future. We also have a manual guide for more experienced Windows users. However, it will only help you to remove the threat source but you will still have to secure your PC afterwards.

You should move on to recovering files only after you have successfully removed the threat. Otherwise they might get encrypted again and more damage could be done. We have a file recovery guide at the end of this article.

Key Cerber ransomware updates:

  • (February 2017) A new version emerges, uses “_HELP_HELP_HELP_” ransom note and spreads via email, exploit kits and Nemucod downloader.
  • (January 2017) Desktop background text color changes to red and the extensions are now 4 characters long and randomly generated. This version usually fails to delete shadow copies making it easier to recover files. Some distribution mail addresses used include:,,,
  • (December 2016) New email spam campaigns are noticed. RIG exploit kit is used for distribution. Shadow copies are not deleted. Red text dekstop background begins to appear.
  • (November 2016) Cerber shifts focus to targeting companies. It also threatens with DDoS attacks.
  • (October 2016) Another increase in activity and first signs of 4 characters random extensions being appended to the encrypted files.
  • (September 2016) Signs of a new version which changes the extension to .cerber3.
  • (August 2016) .cerber and .cerber2 file decryption website appears and allows victims to decrypt the ransomed files for free.
  • (July 2016) .cerber2 version appears.
  • (February 2016) First appearance of Cerber ransomware.

Here are some screenshots of the Cerber ransomware:


 Manual Removal Instructions:

NB: Bookmark this page in order to access it after you restart your computer while working on the removal process! You can also print it out or open on another device.

Editing important Windows files and settings can be risky. We recommend using the automatic removal tool for an easier removal process and in order to avoid any damage to your Windows operating system, since Cerber is a complicated and dangerous ransomware.

Do not skip any steps as otherwise the threat might come back again and cause mroe damage.

Step 1:

Reboot your Windows in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.


Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Find any processes that might be associated with the Cerber virus and terminate them. They are usually randomly named .exe files (e.g. 1vwe564w8v4.exe).

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.


Right-click on each of the suspicious processes you find in the list and choose Open File Location.

Go to and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have just opened.

Repeat this until you have checked all processes.

You might not find any malicious process since the virus usually exits after completing the encryption process.

Step 3:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your hosts.ini file will open in Notepad. Delete any IPs that are not marked with an “#” in front of them except the “ localhost” entry. Here is an example:

Step 4:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:


Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 5:

Clean up Windows temporary files as there are usually several Cerber ransomware files placed here.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:


Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them permanently by pressing SHIFT + DELETE.

Step 6:

Check for any recent changes in all the other important system files.

Cerber usually makes changes to important system files in order to stay undetected.

Hold Windows () key and click R key.

Enter the following in the field:


Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

The virus tends to copy its files to this directory so you might find randomly named .exe, .dll, .bat or other recently placed files.

Repeat this step with the following three directories while being very careful:


Remember that these directories contain many important system files! Be very careful!

Step 7:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:


Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Use the folder tree on the left to navigate to the following directory:


If you find any registry entries that could be associated with Cerber (usually randomly named), copy their random names and then delete them by right-clicking on it and choosing Delete.

Then search for the random name you have just copied by pressing keyboard buttons CTRL + F and entering the copied value in the search field. Click Find Next.

Repeat search and delete all registry entries associated with the virus.

Then repeat the search with the following text:


Step 8:

Use Windows File Search (you can access it from Windows Start Menu by simply pressing Windows () button) or Windows Explorer in order to find the following files and delete them. Some of the files might not exist since the virus has several variations.


Where {random} is a name under which Cerber executable hides.

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for Cerber ransomware file decrypter here: List of currently available decrypters. Currently only some versions of this ransomware are decryptable but more might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:


Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:


Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

However, there are high chances of success since in many versions the shadow deletion is skipped or does not run successfully.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a Cerber decrypter to be created. New free decrypters for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the Cerber ransomware you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.

  1. Bobby Nakhva says:

    Shadowexplorer stopped working .. and i dont have any restore point can u tell me what to do.. i want to restore my pics

Leave a Reply

Your email address will not be published. Required fields are marked *

Begin typing your search above and press return to search. Press Esc to cancel.