Readme.hta virus: decrypt Cerber 4.1.1. ransomware

The fourth generation of the Cerber ransomware is underway, dropping the Readme.hta ransom note and appending random extensions to one’s encrypted files.

The lineage of the highly dangerous Cerber ransom Trojan has been recently replenished with a new sample. The fresh spinoff has much in common with the other baddies that used to represent this family. In the meanwhile, it also exhibits unique characteristics that allow researchers to flag it as a standalone ransomware edition. These out-and-outer traits that have the biggest value analysis-wise include a different take on file format contortion, as well as the new way this infection now instructs its victims on recovery. As opposed to the formerly used uniform “.cerber3” extension, this iteration has come to concatenate a victim-specific random set of four hexadecimal characters to every data object that underwent enciphering. Therefore, a victim may see something like utTNNgp574.96b3 instead of an arbitrary personal file.

Readme.hta and ciphered files are straightforward indicators of compromise
Readme.hta and ciphered files are straightforward indicators of compromise

It’s unclear why this additional layer of randomization has been introduced in the latest variant, but it has become the inalienable property of the Cerber ransomware virus. The filename muddling effect, by the way, is identical to the way the predecessor would handle hostage files: the Trojan replaces the initial values with a gibberish 10-character string. This wouldn’t pose much of a problem if it weren’t for the fact that each entry is also encrypted. So, editing filenames, which seems like a no-brainer, is also a no-go as far as data restoration is concerned. Cerber v4 leverages an unbreakable crypto routine to scrambling one’s files. Although the Advanced Encryption Standard (AES) is considered to be weaker than the asymmetric RSA algorithm, it is still virtually impossible to crack as long as it’s implemented the right way.

Recovery steps listed on the desktop
Recovery steps listed on the desktop

Another new feature that surfaced in the current 4.1.1. version of Cerber is the principle of providing the walkthrough to decrypt files. The ransom manual is no longer a combo of three documents in different formats. Instead, it’s a single file called Readme.hta. Because this is, in essence, an HTML application, it delivers some degree of user interaction. For instance, an infected person can now select their native language inside the interface. The rest of the instructions have hardly changed. The extortionists still upsell a tool named “Cerber Decryptor” via a secure Tor page. Therefore, victims are told to install the Tor Browser Bundle and visit their personal page – a choice of three corresponding URLs is provided in Readme.hta pane.

The Cerber Decryptor page displays down-to-earth details on data reviving options. The original ransom amount to submit is 1 Bitcoin, or about 600 USD. That’s a “special price” valid for five days since the encryption event. After the deadline, the ransom doubles and thus reaches 2 Bitcoin. For the user to keep track of the time left, the page contains a graphical countdown component. All in all, this is still a nearly immaculate compromise that’s hard to tackle after the fact. Fortunately, there are several applicable methods to unencrypt the locked random extension files. Keep reading this post to learn more.

Automatic removal of the Readme.hta (Cerber) virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the adware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button Download Cerber 4 removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get Cerber 4 automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.


Recover files ciphered by the Readme.hta ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups

The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools

The research of Cerber 4 virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies

The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

  • Previous Versions feature

    Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory. Previous Versions feature

  • Shadow Explorer applet

    It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed. Shadow Explorer


Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Cerber 4 scanner and remover

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.