The Check Point security firm released a decryption service for the Cerber Ransomware. Now infected users can decrypt files with extensions .cerber and .cerber2
Luckily for the victims of the infamous Cerber Ransomware, there is now a free decryptor available online. It works for the ransomware versions 1 and 2 and allows victims to get their fails back without having to pay the ransom. The files which can be decrypted with this tool are those with “.CERBER” and “.CERBER2” extensions.
At this point, it is not clear how Check Point managed to decrypt the Cerber encrypted files. However, they probably didn’t succeed in cracking the encryption algorithm, but instead, they were able to obtain the Master Decryption Key thanks to their access to the Cerber backend. This way, using the Master key, they derive each victim`s unique key from their uploaded encrypted files.
The first step of the decryption process is the victims to go to the CerberDecrypt.com website and upload one of their “.CERBER” or “.CERBER2” encrypted file. Those files are usually only 1MB in size or even smaller. Once Check Point has the file uploaded, they are able to extract the key associated with the this particular victim`s computer and release it for free download. Then the victim has to download both the private key, named “pk”, and the decryptor into one folder.
Then the Check Point decryptor should be launched and it will scan the machine for files to decrypt. Users should keep in mind that there appears to be a bug in the user interface that indicates encrypted files on the Network that are being detected, even for those who are not connected to a network. This bug, however, can safely be ignored. Moreover, any ransom notes which are not located on the Windows desktop will also be removed during the file dectyprion.
Once the decryption process is over, the victim will receive “the disk has been decrypted” message and the files should be unlocked.
Unfortunately, following our report, the authors of Cerber managed to fix the flaw in their encryption process which enabled us to decrypt files encrypted by Cerber.
During the time the decryptor was functional, hundreds of users managed to decrypt their files using our decryptor.
We will continue to search for new ways to decrypt files encrypted by Cerber and other ransomware, and return them to their rightful owners.
For additional information about the Cerber ransomware, visit the Cerber Research Webpage.