Any files that are encrypted with Cerber Ransomware will be renamed with 10 random characters plus the
.cerber (i.e. 2C1OlcaXdF.cerber, Ku7dYlcvkj.cerber) or .cerber2 extension (see
here) appended to the end of the encrypted data filename and leave files (ransom notes) named DECRYPT MY FILES#.vbs, DECRYPT MY FILES#.txt, DECRYPT MY FILES#.html.
The newest variant of Cerber Ransomware will have a .cerber3 extension appended to the end of the encrypted data filename and leave files (ransom notes) named # HELP DECRYPT #.txt, # HELP DECRYPT #.html, and # HELP DECRYPT
#.url.
Trend Micro released a Ransomware File Decryptor for victims of earlier Cerber infections but it has limitations...must be used on the infected machine, may take several hours to complete decryption, some files may be only partially decrypted.
However, victims of Cerber Ransomware have reported the decryption tool does not work on cerber3 encrypted files.
In cases where a decryption tool does not work and you do not plan on paying the ransom, the only other alternative is to
backup/save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data
and wait until that time. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered.
There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
