Cerber ransomware removal instruction and ways to restore the encrypted files

Cerber virus is a ransomware, which encrypts the data on your PC and demands a ransom to decrypt them. Hackers want 500$ for that, and if you won’t pay in 7 days, the fee will double, so you’re on the clock. Cerber’s special feature is that it can affect not only text and image files, but also the audio and video. As you see, Cerber ransomware is very dangerous, and if you failed to prevent its installation, you have to try all possible techniques of decryption before you pay the ransom. In this article we’ve described all possible ways to remove the virus and to decrypt the files.

Latest news

Current version of Cerber ransomware is 4.1.5 and the researches on it were begun few days ago. We still can't say anything about it, but the malware fighters all over the world are trying to crack its code and help all its victims to regain their files. Cerber became a really recognizable brand, and its developers began to search for additional ways of distribution. According to SenseCy, Cerber is offered as a service on closed Russian forum, so anyone can distribute it and pay some fee to its developers. These news are, actually, both bad and good. They're bad because the more people distribute this virus, the more users will suffer from it. The news might be good because if it's true, the extraneous distributors might not be so intelligent and careful as original developers, and the could make mistakes that will help good guys to win in this fight. Anyway, if you became a victim of Cerber ransomware, you shouldn't pay the ransom, because all money will go on the further development of this virus and will enhance its positions.

All ransomware viruses, in general, have the same features. The difference can be only in the amount of ransom and the list of formats that a virus can encrypt. Cerber is not an exception, and it acts like all other ransomware. It penetrates the system via spam or viral emails, and if user will open the attachment to such e-mail, and run the macro – the virus will begin its work. When the process of encryption will end, virus will create several files with instructions. The instructions are pretty much the same for all ransomware, the say “Bla-bla-bla, files are encrypted, bla-bla the encryption is very strong, so give us your money!” Here’s the usual instruction for Cerber ransomware:


Cerber encryptor


Hackers say that if you won’t pay the ransom in a week, the will double the price for encryption, so if you really need those files – you better think fast. If you have no backups of your data – there is no guarantee that you will ever restore them. You have a good chances but it’s not 100%. If you’ll pay the ransom – you don’t have a guarantee that hackers will restore the files after receiving the money, because you can’t control them and don’t even know where they are. The could be in any part of the world, so you have to decide: you will remove the virus and try to restore the files, or you pay the ransom and hope that web-criminals will have mercy on you.

How to remove Cerber Virus from the computer

If you’ve decided to remove the virus, you must understand that after the removal you won’t be able to restore the files with help of hackers, which have encrypted them. Also, the removal IS NOT a decryption. Files won’t change back after virus will be removed, but other files will be safe. If you don’t have enough experience to do that manually – use the reputable removal tool. We advise you Spyhunter, which is one of the best antiviruses, and can easily find and remove Cerber ransomware from your PC. Click here to download Spyhunter and remove virus automatically

Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

Alternative way how to boot computer into safe mode:


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok

Step 3. Remove Cerber files

Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%

Step 4. Clean registry

  • Click Start
  • Type Regedit.exe and press Enter
  • Press Ctrl+F and search for "Cerber"
  • Delete items found

Video how to remove ransomware virus


How to decrypt your files

Here’s the biggest piece of work with Cerber ransomware. You have three techniques to get your data back: load of backups, restore from shadow copies or to direct decryption. Even if you did no backups, there is a function in Windows that might be enabled, so if you have the available backups of your files – just remove the virus and load them. If this is impossible for some reasons – try to restore the files from shadow copies. It’s a bit harder but still possible. You should download Recuva or ShadowExplorer tool, and use them. And if this method will fail too – use the Kaspersky Ransomware Decryptor. This program was made by Kaspersky lab after a thousands of complaints on ransomware, and it includes more than 15 000 decryption keys for different ransomware. All instructions about these processes can be found below this chapter, or on the official websites of the used tools.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Cerber Ransomware decryption demonstration video





Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 4.10 [5 Votes]


0 #2 Kate 2018-03-22 07:17
Hello, try to use Trendmicro decryptor or Recuva or shadow explorer
0 #1 Bing 2018-03-02 05:32
How can i restore the files if i dont have any restore checkpoint in the system recovery?

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience