Home Malware Programs Ransomware Cerber2 Ransomware

Cerber2 Ransomware

Posted: August 5, 2016

Threat Metric

Ranking: 12,379
Threat Level: 10/10
Infected PCs: 168,486
First Seen: March 4, 2016
Last Seen: March 7, 2025
OS(es) Affected: Windows

The Cerber2 Ransomware is the successor of the Cerber Ransomware, a threat that went rampant for months before finally being stopped by malware researchers who developed the Cerber Decryptor successfully, a utility capable of restoring the files that the Cerber Ransomware had encrypted previously. However, it seems like the original threat's authors will not give up, and their new product, the Cerber2 Ransomware, comes with a ton of improvements that make it more difficult to detect and decrypt.

The corrupted files used to spread the Cerber2 Ransomware are packed via a new technique that is more successful at disguising the harmful traits of the file. However, anti-virus product vendors are already aware of this, and most reputable anti-malware products can detect the Cerber2 Ransomware's signature and stop if before it does any damage. Unfortunately, users without sufficient threat protection may not be able to do much once the Cerber2 Ransomware starts encrypting their computer's files. The second version of this crypto threat utilizes the Microsoft API CryptGenRandom function and generates a unique 32-bit encryption key for every victim. The key is stored on a remote Command & Control server so that it would be impossible for cyber security experts to get their hands on the data they need to decrypt files that the Cerber2 Ransomware locks.

Every file that the Cerber2 Ransomware locks is renamed to include the '.the Cerber2' file extension. Furthermore, the ransomware drops several ransom notes on the user's desktop that are stored in the following files: # DECRYPT MY FILES #.HTML, # DECRYPT MY FILES #.TXT, # DECRYPT MY FILES #.VBS. The ransom note states that the users who wish to restore their files must pay a ransom fee. The amount of the fee isn't mentioned, but the original Cerber Ransomware asked for 1.4 BTC (~$800) using the payment instructions seen in the note. Failing to pay the sum in one week will double the ransom fee to the staggering 2.8 BTC (~$1600). Regardless of the money the Cerber2 Ransomware asks for, users must not comply with the request, and they must not send any money to the authors of the attack! Despite the lack of a free decryptor, users might still be able to restore their data partially via tools like the Shadow Explorer and the Windows System Restore. Another option is to save the encrypted files in case a free decryptor becomes available soon.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Cerber2 Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

* See Free Trial offer below. EULA and Privacy/Cookie Policy.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%APPDATA%\README.hta File name: README.hta
Size: 63.11 KB (63113 bytes)
MD5: 777e13c9a5cad4e1d2134d5104188ff6
Detection count: 101
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
u.exe File name: u.exe
Size: 63.72 KB (63723 bytes)
MD5: 3dabcb3463ab266e734c83285c977106
Detection count: 76
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%APPDATA%\wP6fT.exe File name: wP6fT.exe
Size: 322.56 KB (322560 bytes)
MD5: 731279e3c09f8e52a849c0a9c1043bb5
Detection count: 72
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: July 18, 2017
%APPDATA%\_HELP_HELP_HELP_KJ2P.hta File name: _HELP_HELP_HELP_KJ2P.hta
Size: 75.78 KB (75787 bytes)
MD5: 6689ad9f43ab19a1ccfad9db6a16b772
Detection count: 71
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_HELP_HELP_HELP_GLP9_.hta File name: _HELP_HELP_HELP_GLP9_.hta
Size: 75.86 KB (75864 bytes)
MD5: 5f7533c663ddb4c0ae4dbbaafb50d491
Detection count: 60
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_HELP_HELP_HELP_SUXEZY_.hta File name: _HELP_HELP_HELP_SUXEZY_.hta
Size: 75.9 KB (75904 bytes)
MD5: 5190e890725bf431ba44001e190c70f5
Detection count: 56
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_READ_THI$_FILE_DB3DT9_.hta File name: _READ_THI$_FILE_DB3DT9_.hta
Size: 77.05 KB (77053 bytes)
MD5: 7476a75b0680d99f5338b886bc7def62
Detection count: 54
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_HELP_HELP_HELP_5B3HEZ6.hta File name: _HELP_HELP_HELP_5B3HEZ6.hta
Size: 75.78 KB (75787 bytes)
MD5: b10e6f69d0c16008410b5c8cfaae0138
Detection count: 53
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_HELP_HELP_HELP_2R9I63OS.hta File name: _HELP_HELP_HELP_2R9I63OS.hta
Size: 75.78 KB (75787 bytes)
MD5: a2daec078c54bb6bc5e96038a1506f2c
Detection count: 34
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_HELP_HELP_HELP_HUUKTW_.hta File name: _HELP_HELP_HELP_HUUKTW_.hta
Size: 75.86 KB (75864 bytes)
MD5: 0224da72bc3638b351cf509cdfc443c2
Detection count: 30
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%USERPROFILE%\Start Menu\Programs\Startup\_HELP_HELP_HELP_RSHI_.hta File name: _HELP_HELP_HELP_RSHI_.hta
Size: 75.9 KB (75904 bytes)
MD5: a46e5f2ce8a20bbb8548959debb9ac0c
Detection count: 23
Mime Type: unknown/hta
Path: %USERPROFILE%\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
%USERPROFILE%\Start Menu\Programs\Startup\_HELP_HELP_HELP_STOV8H1_.hta File name: _HELP_HELP_HELP_STOV8H1_.hta
Size: 75.86 KB (75864 bytes)
MD5: 1632ca0953d5499bf251455159a80ea0
Detection count: 14
Mime Type: unknown/hta
Path: %USERPROFILE%\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_HELP_HELP_HELP_ND8FZ.hta File name: _HELP_HELP_HELP_ND8FZ.hta
Size: 75.78 KB (75787 bytes)
MD5: 041ef4b6a12e0b3165172884301b0d1e
Detection count: 12
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
c:\Users\<username>\appdata\roaming\{6b977300-2501-f740-f2c0-799d6aca21c2}\cmdkey.exe File name: cmdkey.exe
Size: 659.58 KB (659585 bytes)
MD5: 27cf39d205567505d840391e4761a7a0
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: c:\Users\<username>\appdata\roaming\{6b977300-2501-f740-f2c0-799d6aca21c2}
Group: Malware file
Last Updated: October 17, 2018
%APPDATA%\_HELP_HELP_HELP_XJ7UC8.hta File name: _HELP_HELP_HELP_XJ7UC8.hta
Size: 75.78 KB (75787 bytes)
MD5: 4ab1a256a5115d00fa7a3222936ddc03
Detection count: 7
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_HELP_HELP_HELP_XFCV_.hta File name: _HELP_HELP_HELP_XFCV_.hta
Size: 75.9 KB (75904 bytes)
MD5: 01ec9e50d17de043a23997d6562293ad
Detection count: 7
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_HELP_HELP_HELP_3NNARI.hta File name: _HELP_HELP_HELP_3NNARI.hta
Size: 75.78 KB (75787 bytes)
MD5: 0ef13a9213c456db231825061eec294c
Detection count: 5
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_HELP_HELP_HELP_L41VV_.hta File name: _HELP_HELP_HELP_L41VV_.hta
Size: 75.86 KB (75864 bytes)
MD5: c63b4a524713e4c5f3802463cb46dab8
Detection count: 5
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\_READ_THI$_FILE_L81EB65A_.hta File name: _READ_THI$_FILE_L81EB65A_.hta
Size: 77.01 KB (77010 bytes)
MD5: 2a6828d2ba37bb97efb4773619b80715
Detection count: 5
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017

More files

Registry Modifications

The following newly produced Registry Values are:

File name without path# DECRYPT MY FILES #.html# DECRYPT MY FILES #.url# DECRYPT MY FILES #.vbs_README_.hta
Loading...
Spywareremove.com uses cookies to provide you with a better browsing experience and analyze how users navigate and utilize the Site. By using this Site or clicking on "OK", you consent to the use of cookies. Learn more.