I wrote this article to help you remove Cerber2 Ransomware. This Cerber2 Ransomware removal guide is working for all Windows versions.

Cerber2 ransomware is the second version of a win-locker, named after the three-headed monstrous dog from the Greek mythology. This variant of the virus is also dedicated to Anka, the main character from a popular computer game. Cerber2 ransomware was developed because the initial version of the program was figured out by security researchers. The upgrade has distinguishable characteristics from the original virus. Even if you do not understand codes, you will notice the external differences.

Cerber2 ransomware uses a different wallpaper which gets set as the desktop background. The image has an old-school look to it. The background part resembles static from a distorted signal. There is a rectangle in the middle, depicting a vintage black computer screen with green writing. The wallpaper also plays the role of a ransom note.

The cyber criminals behind Cerber2 ransomware have made sure their message would be conveyed to the victim. They have created two text files and a synthetic voice recording. All three notes are titled #DECRYPT MY FILES#. The text messages are in .txt and .html format. They list the demands of the hackers in detail. The .vbs audio does not contain essential information, but it plays a mind game. The recording will inform you that your important files have been encrypted. The cyber thieves demand a ransom for decrypting your files, stating there is no other way to recover your data.

Cerber2 ransomware can encrypt text documents, images, audios, videos, spreadsheets, presentations, databases, archives and many other file types. The list of vulnerable extensions has expanded with the development of the second version. The nefarious program will lock a lot of your essential files. The .cerber2 suffix is appended to the name of each encrypted file.

Cerber2 ransomware has raised the bar for the encryption process. The insidious program generates a 32-bit key, rather than a 16-bit key like its predecessor. It may be a surprise for you to find out that the amount of the ransom has been reduced by more than four times. Cerber2 ransomware asks victims to pay 0.3051 BTC, whereas the original Cerber ransomware demanded 1.24 BTC. The second version gets about $189.70 USD per victim. Like its ancestor, the win-locker doubles the ransom if the victim delays the payment. The original win-locker gives people 7 days to pay the initial sum, while Cerber2 ransomware only gives 5 days.

Having the ransom go down may be an indication that the hackers do not feel as confident as they did with their first program. With the code of the original Cerber being broken, they have a valid reason to second-guess their technological prowess. Another reason for lowering the ransom may be that most users have refused to pay such a high sum.

In any event, Cerber2 ransomware is not unbreakable. A decrypter for the win-locker has already been created. There is no reason to pay the cyber crooks. You can recover your files on your own, pursuant to uninstalling the virus.

How did my computer get infected with Cerber2 ransomware?

Getting to know the propagation vectors of a virus can help you protect your machine from attacks in the future. Cerber2 ransomware uses spam emails to infiltrate computers. This method is the leading distribution technique for win-lockers. The distributors rely on deceptive tactics. We will give you tips on how to avoid being mislead.

We already stated that Cerber2 ransomware travels through spam emails. In particular, the clandestine program is spread via attachments. The host file is described as an important piece of documentation. The most common culprits are .rar archives and .zip folders. Opening the carrier is enough to unleash the win-locker into your computer. Spammers can disguise malicious .dll, .php, .js and other file types to appear as a different format. To be on the safe side, check the reliability of all your emails. Look up the account they were sent from. It should match the contacts of the entity behind the message. Go to its official website and compare the details. It should be noted that malware distributors often write on behalf of existing companies and organizations to lead people astray.

Cerber2 Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Cerber2 Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
2. Install ShadowExplorer
3. Open ShadowExplorer and select C: drive on the left panel
4. Choose at least a month ago date from the date field
5. Navigate to the folder with encrypted files
6. Right-click on the encrypted file
7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

1. Go to Start –> All programs –> Accessories –> System tools –> System restore
2. Click “Next“
3. Choose a restore point, at least a month ago
4. Click “Next“
5. Choose Disk C: (should be selected by default)
6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Cerber2 Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

1. Recuva
2. Puran File Recovery
3. Disk Drill
4. Glary Undelete