My Laptop got infected by a Virus that spoke to me, and there’s absolutely no remedy

Of all crooked money-minting methods hackers use, the most common is ransomware.

It’s a malware that’s delivered via infected email attachments, hacked websites, etc that encrypts files on your computers, and renders them useless. The hacker then demands a ransom for the key to decode the encryption. It's sick, and scary.

Cyber-criminals make millions of dollars from ransomware. Several organizations around the world have been badly hit by ransomware. One apparently ended up paying 40 bitcoins ($17,000/Rs. 11.27 lakhs).

My laptop recently got infected by one of the latest versions of this malware which goes by the name ‘Cerber’. It was first detected last month by two malware analysts, so you obviously don’t expect your free Avast Antivirus to detect it, and it didn’t.

Here’s what it does.

The malware encrypts users' files using AES encryption and demands that victims pay a ransom of 1.24 Bitcoins, or approximately $500 (Rs.33k).

It was silly of me to download and install what seemed an interesting free software, and I sealed my fate. You’ve been warned.

Interestingly, I hear Cerber checks if the victim is from a particular country. If the computer appears to be from any of the following countries, it will terminate itself and not encrypt the computer.

Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan

If the victim is not from one of the above countries, which I’m not, the Cerber installs itself in the %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\ folder and names itself after a random Windows executable. It restarts the computer soon after, and the ransomware begins wreaking havoc with my files, encrypting each document's filename and adding a .CERBER extension to it.

When encrypting your data, Cerber will scan your drive letters for any files that match its list of over 50 file extensions. When it finds a match, it encrypts the file using AES-256 encryption, encrypt the file's name, and adds .CERBER extension to it. So your file Office_Presentation.doc may be renamed as Zu0ITC4HoQ.cerber.

The worst is yet to come. Cerber creates 3 ransom notes on your desktop, and in every folder it has attacked. These files are called # DECRYPT MY FILES #.html, # DECRYPT MY FILES #.txt, and # DECRYPT MY FILES #.vbs. These ransom notes have threats and instructions on what has happened to your data, and every single one has links to the Tor decryption service where you can make the ransom payment and retrieve the decryptor.

At the end of each ransom note there’s this Latin quote:

Quod me non necat me fortiorem facit
- Cerber Ransom Note

In English, this translates to ‘That which does not kill me makes me stronger’. That made my blood boil.


Anyway, Cerber is special than other ‘unsophisticated’ malware out there. The # DECRYPT MY FILES #.vbs file contains VBScript, which will cause the victim's computer to speak to them. You heard me right!

My attacker spoke to me via an automated message that says this:

That can scare anybody. The geek in me was worried for the first time.

If you have the money, which I didn’t, you go to the decrypttozxybarc.onion Tor site, which acts as the payment and decryption service. This site is called Cerber Decryptor and can be accessed in 12 languages.

Once you select the language, you will be prompted to enter a captcha, and will be greeted with the main Cerber Decryptor page. This page will provide information on how to pay the ransom, the ransom amount, and the worst part?

Image Source
The ransom will double if not paid within 7 days. WHAT!

Once a victim makes a payment to the listed bitcoin address, their payment will be shown in the Payment History section of the decryptor page. After a certain amount of bitcoin transaction confirmations, this page will then provide a download link for the victim's unique decryptor.

Image Source
The sad truth is there is no way to decrypt your files for free. If you’re a victim, the best option is to restore your files from a backup. If you don’t have one, like me, God help you.

Image Source