Check Point releases working Decryptor for the Cerber Ransomware

  • Thread starter
  • Admin
  • #1


Malware Removal Specialist - Administrator
For those who have been affected by the Cerber Ransomware and decided not to pay the ransomware, we have good news for you!
Today, Check Point released a decryption service for the Cerber Ransomware version 1 and version 2 that allows victims to recover their computer's decryption key and decrypt their files for free.
The files types that can be decrypted by this ransomware are those that end with .CERBER and .CERBER2 extensions.

At this time, it is not known how Check Point is able to decrypt the Cerber files, but based on their access to the Cerber backend, they most likely were able to acquire the Master Decryption Key, rather than finding a weakness in the encryption algorithm.
Using this Master Decryption Key, they can then extract a victim's unique key from an uploaded encrypted file.

How to Decrypt .CERBER and .CERBER2 Files

In order to use this service, victims can visit the site and upload an encrypted .CERBER or .CERBER2 file that is 1MB or smaller.
Once the file is uploaded, Check Point will extract the private key associated with your computer and make it available for download.
Victim's must then download both the private key file, which will be named pk, and the decryptor to the same folder.

Once a victim has downloaded both files, they can simple double-click on the decryptor to start scanning the computer for files to decrypt.

The Check Point Cerber Decryptor will scan the computer for encrypted files and decrypt them.
Please note that there are appears to be a bug in the user interface that indicates encrypted files on the Network are being detected, even for those who are not connected to a network.
This bug can safely be ignored.

When it has finished decrypting your files, a victim will be presented with a message that states the disk has been decrypted.
As an extra bonus, the decryptor will have removed any ransom notes that are not located on the Windows desktop.

The victim's files should now be decrypted.

Credit and Source:
Lawrence Abrams