Results 1 to 14 of 14
  1. #1
    5 Star Lounger
    Join Date
    May 2003
    Location
    Sterling Heights, Michigan, USA
    Posts
    633
    Thanks
    0
    Thanked 1 Time in 1 Post

    Recovery from Cerber

    One of my customers got infected with Behavior:Win32/Cerber.gen!A yesterday. I found several methods to disable it, but nothing about how to deal with the garbled file names it created. Is such a recovery possible?

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,202
    Thanks
    49
    Thanked 987 Times in 917 Posts
    Probably only via a restore.

    cheers, Paul

  3. #3
    WS Lounge VIP Calimanco's Avatar
    Join Date
    Dec 2009
    Location
    UK
    Posts
    722
    Thanks
    1
    Thanked 145 Times in 131 Posts
    Cerber is Ransomware. It is installed when the unwary user clicks on a malicious link in an e-mail. It then encrypts the users data and asks for a payment (the ransom) to decrypt it. Even if your customer pays, there is no guarantee that the the decryption key will be provided or will work if it is. System Restore won't work as that will have been disabled as well. Unless your customer has a full backup, he's lost his data.
    Last edited by Calimanco; 2016-07-30 at 06:27.

  4. #4
    5 Star Lounger
    Join Date
    May 2003
    Location
    Sterling Heights, Michigan, USA
    Posts
    633
    Thanks
    0
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Paul T View Post
    Probably only via a restore.

    cheers, Paul
    I thought System Restore only rolls back system and program files, and does nothing with personal data files.

  5. #5
    5 Star Lounger
    Join Date
    May 2003
    Location
    Sterling Heights, Michigan, USA
    Posts
    633
    Thanks
    0
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Calimanco View Post
    Cerber is Ransomware. It is installed when the unwary user clicks on a malicious link in an e-mail. It then encrypts the users data and asks for a payment (the ransom) to decrypt it. Even if your customer pays, there is no guarantee that the the decryption key will be provided or will work if it is. System Restore won't work as that will have been disabled as well. Unless your customer has a full backup, he's lost his data.
    My customer says she never got a request for a payment.

  6. #6
    4 Star Lounger
    Join Date
    Dec 2009
    Location
    Paducah, Kentucky
    Posts
    427
    Thanks
    40
    Thanked 67 Times in 64 Posts
    As reported elsewhere: Cerber is "Ransomware-as-a-Service", and that "means the threat can be easily customized to modify the ransom message and list of targeted file extensions". This means that the inapt goon behind her infection could even have included files which left Cerber itself disabled! (The majority of "bad guys" are both inapt and stupid.) For instance, if the sound card driver was disabled, then she wouldn't have heard the Cerber "loud creepy voice" telling her which files it was changing as it encrypted them.

    Windows Defender will detect Cerber. Microsoft has a web page here for folks with questions about ransomware.
    Last edited by RockE; 2016-07-30 at 19:43. Reason: spell check

  7. #7
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,202
    Thanks
    49
    Thanked 987 Times in 917 Posts
    Quote Originally Posted by JJDetroit View Post
    I thought System Restore only rolls back system and program files, and does nothing with personal data files.
    Correct, so you need to restore from backup, assuming the backup is not compromised as well.

    cheers, Paul

  8. #8
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,735
    Thanks
    95
    Thanked 128 Times in 125 Posts
    JJDetroit: I thought System Restore only rolls back system and program files, and does nothing with personal data files.
    Paul: Correct, so you need to restore from backup, assuming the backup is not compromised as well.

    There might be an exception; maybe not. Scuttlebutt elsewhere indicates properly done System Restore Points, if properly restored, brings backup Libraries, My Documents, anything stored within that area. I have not tested this on my computers. I'm hoping that others who have tested the scuttlebutt SRP Idea can verify correctness or incorrectness.
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

  9. #9
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,643
    Thanks
    147
    Thanked 883 Times in 844 Posts
    I agree that the only true defence against ransomware is a system image, but this article has a couple of suggestions in how it may be possible to recover the files after Cerber encryption - Good Luck.

    https://www.quora.com/How-do-I-remov...tore-the-files

  10. #10
    Silver Lounger
    Join Date
    Apr 2010
    Location
    Montréal
    Posts
    1,798
    Thanks
    33
    Thanked 52 Times in 51 Posts
    Hello Paul. Last January, a friend got hit by ransomware and called me. I had a clone of his machine but !
    As soon as I connected the clone, it got flushed. So the moral is : format the C:\ before any recovery attempt.

    A nice 14393.10 to you. Jean.

  11. #11
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,643
    Thanks
    147
    Thanked 883 Times in 844 Posts
    While I've never cloned or how to recover using one, the advantage of using Windows System Image is that you boot up outside of Windows to use the system image recovery, which may save from being caught up in the infection.

  12. #12
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Quote Originally Posted by Sudo15 View Post
    While I've never cloned or how to recover using one, the advantage of using Windows System Image is that you boot up outside of Windows to use the system image recovery, which may save from being caught up in the infection.
    That is not necessarily so, since you can start the restore process from Windows itself.

    I think the best option is always to play safe and get rid of the infection first.
    Rui
    -------
    R4

  13. #13
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,643
    Thanks
    147
    Thanked 883 Times in 844 Posts
    In Win 7 whenever I went to restore with a system image from an external HDD I was prompted to boot up with a repair disk, even when I went via F8 to the RE.

    I've just had to do the same with my Win 10 but I now boot up with a repair disk out of habit.

    I agree though that it would be best to disinfect first.

  14. #14
    New Lounger
    Join Date
    Dec 2009
    Location
    3 rd planet from the sun, my summer home
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    About 6 months ago I was getting prices for a truck part I was hit with ransom-ware. Probably from a script hidden in the advertising.

    Scratched my head for a while and decided to read up on how the ransom-ware sets itself up (Cryptowal), what steps it takes. It was worth doing because I found that it made encrypted copies of my files then it deletes the original files. 'Head slap'! That was all I needed to see. I removed the hard drive to an external dock and ran some good recovery software (Hetman) to undelete my files to another hard drive. I recovered about 95% of what I had. Then wiped the encrypted hard drive and did a reinstall.

    It seems that the same steps to encrypt are used in some of the other ransom-ware, so you might get lucky.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •