What is a Cetori file? A file with the .cetori extension is a file that has been locked by Cetori ransomware. This security threat is also known as crypto malware that use very strong hybrid encryption with a large key in order to block users’ data. It’s not possible to open the files by simply changing the file extension. The photos, documents and music will be unlocked only if victims pay for the private key that will unlock these files.
Files encrypted by cetori virus
The files that will be encrypted include the following file extensions:
.fpk, .mdb, .wbk, .xdb, .wire, .xls, .hkdb, .sis, .wpl, .ysp, .indd, .xyp, .ncf, .blob, .sidd, .lbf, .bsa, .xy3, .wma, .sie, .txt, .iwi, .jpe, .mlx, .rb, .dba, .pptx, .rofl, .1st, .jpg, .mrwref, .xdl, .bar, .t13, .xxx, .srw, .wmd, .slm, .wpa, .das, .xyw, .dng, .xlsb, .yml, .desc, .pptm, .css, .rtf, .xlgc, .wsh, .dcr, .xar, .w3x, .dbf, .zabw, .cdr, .webdoc, .x3f, .wpg, .xmmap, .nrw, .psd, .zdc, .bay, .big, .wot, .pkpass, .xpm, .p7b, .wn, .wbc, .qdf, .xlsx, .bik, .raf, .p12, .wmv, .2bp, .odp, .r3d, .xml, .wps, .hvpl, .menu, .itdb, .srf, .xlsm, .gho, .wm, .xbplate, .orf, .wpd, .sum, .layout, .ods, .ppt, .x3f, .sql, .py, .qic, .lvl, .wp5, .wbz, .wpt, .pst, .xmind, .fos, .vfs0, .3dm, .xll, .avi, .raw, .forge, .kf, .xlsm, .mddata, .wsd, .vpp_pc, .x, .db0, .cer, .re4, .mcmeta, .sr2, .mef, .odc, .wp6, .odb, .pdd, .lrf, .litemod, .wdp, .dmp, .cr2, .ntl, .zip, .cfr, .wma, .dwg, .apk, .m4a, .pak, .icxs, .sb, .yal, .0, .accdb, .wp, .js, .asset, .wri, .wdb, .gdb, .3fr, .upk, .crw, .erf, .rar, .zw, .odm, .xls, .rw2, .xbdoc, .ibank, .crt, .vcf, .dxg, .dazip, .hplg, .y, .ff, .kdb, .mp4, .psk, .png, .wmo, .ws, .pfx, .mdbackup, .p7c, .wpb, .sid, .csv, .wpd, .1, .bc7, .mdf, .wgz, .x3d, .docm, .xlk, .mpqge, .wbm, .itm, .vdf, .d3dbsp, .xwp, .wbmp, .xlsx, .arw, .svg, .m3u, .bkf, .eps, .rim, .wav, .ptx, .wbd, .ai, .wsc, .doc, .zi, .docx, .vpk, .wp4, .arch00, .ltx, .iwd, .sidn, .zip, .7z, .snx, .wb2, .fsh, .ybk, .vtf, .webp, .wpw, .zdb, .der, .wcf, .m2, .t12, wallet, .ztmp, .wmf, .flv, .map, .bc6, .hkx, .xld, .wotreplay, .sav, .bkp, .xf, .epk, .kdc, .jpeg, .mov, .esm, .pdf, .cas
Upon encryption, all encrypted documents, photos and music will then be appended with the .cetori extension (e.g., ‘photo.jpg is renamed to ‘photo.jpg.cetori’). Ransomware leaves a ransomnote named ‘_readme.txt’ with instructions for extortion and ransom payment.
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can get and look video overview decrypt tool: https://we.tl/t-B2xUNoHxJk To get this software you need write on our e-mail: gorentos@bitmessage.ch Reserve e-mail address to contact us: gorentos2@firemail.cc Your personal ID:
Threat Summary
| Name | Cetori |
| Type | Crypto malware, Filecoder, Ransomware, Crypto virus, File locker |
| Encrypted files extension | .cetori |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $980 in Bitcoins |
| Symptoms | Your photos, documents and music fail to open. Windows Explorer displays a blank icon for the file type. Your documents, photos and music now have new extensions that end with something like .cetori. Files called like ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. |
| Distribution ways | Spam or phishing emails that are created to get people to open an attachment or click on a link. Drive-by downloads from a compromised webpage. Social media posts (they can be used to mislead users to download malicious software with a built-in ransomware downloader or click a malicious link). USB flash drives containing malware. |
| Removal | To remove Cetori ransomware use the removal guide |
| Decryption | To decrypt Cetori ransomware use the steps |
This blog post is created for those who are searching for a solution to completely delete Cetori virus from the PC, and for those who want to learn as much as possible about how recover documents, photos and music. We hope you will find answers to all your questions in this article.
Quick links
- How to remove Cetori file virus
- Run STOPDecrypter to decrypt .cetori files
- How to restore .cetori files
How to remove Cetori file virus
Security researchers have built efficient malware removal tools to help users in uninstalling Ransomware, trojans and worms. Below we will share with you the best malicious software removal tools with the ability to locate and remove Cetori crypto malware and other malicious software.
How to delete Cetori ransomware with Zemana Anti-Malware
Zemana is a free malicious software removal tool. Currently, there are two versions of the tool, one of them is free and second is paid (premium). The principle difference between the free and paid version of the utility is real-time protection module. If you just need to check your personal computer for malware and delete Cetori ransomware related folders,files and registry keys, then the free version will be enough for you.
Installing the Zemana is simple. First you’ll need to download Zemana Anti Malware from the following link. Save it to your Desktop.
164987 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the downloading process is complete, close all windows on your personal computer. Further, start the setup file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown on the screen below, press the “Yes” button.
It will show the “Setup wizard” that will assist you install Zemana on the system. Follow the prompts and do not make any changes to default settings.
Once setup is done successfully, Zemana Free will automatically launch and you can see its main window as displayed in the following example.
Next, press the “Scan” button to perform a system scan for the Cetori crypto virus, other kinds of potential threats such as malicious software and trojans. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your computer.
When that process is done, the results are displayed in the scan report. Review the results once the tool has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next” button.
The Zemana will uninstall Cetori crypto malware, other malware, worms and trojans and move threats to the program’s quarantine. When finished, you can be prompted to restart your personal computer.
Automatically remove Cetori ransomware with MalwareBytes
You can remove Cetori virus automatically through the use of MalwareBytes Free. We suggest this free malware removal utility because it may easily delete ransomware, adware, malicious software and other unwanted apps with all their components such as files, folders and registry entries.
Download MalwareBytes Free on your MS Windows Desktop by clicking on the link below.
327224 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once downloading is finished, close all software and windows on your computer. Double-click the install file named mb3-setup. If the “User Account Control” dialog box pops up as on the image below, click the “Yes” button.
It will open the “Setup wizard” that will help you setup MalwareBytes on your computer. Follow the prompts and do not make any changes to default settings.
Once setup is done successfully, click Finish button. MalwareBytes Free will automatically start and you can see its main screen like below.
Now click the “Scan Now” button . MalwareBytes application will scan through the whole PC system for the Cetori ransomware virus and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your system and the speed of your computer. While the MalwareBytes utility is scanning, you can see number of objects it has identified as being infected by malicious software.
When MalwareBytes AntiMalware has finished scanning, it will show the Scan Results. You may remove items (move to Quarantine) by simply press “Quarantine Selected” button. The MalwareBytes will delete Cetori ransomware, other kinds of potential threats like malicious software and trojans. After the procedure is done, you may be prompted to reboot the PC system.
We suggest you look at the following video, which completely explains the procedure of using the MalwareBytes to remove adware, browser hijacker and other malware.
If the problem with Cetori ransomware is still remained
If MalwareBytes anti-malware or Zemana anti-malware cannot delete this crypto virus, then we suggests to run the KVRT. KVRT is a free removal tool for crypto malwares, adware software, potentially unwanted software and toolbars.
Download Kaspersky virus removal tool (KVRT) on your computer by clicking on the link below.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is complete, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you’ll see the Kaspersky virus removal tool screen as displayed in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to scan for Cetori crypto virus and other known infections. A system scan can take anywhere from 5 to 30 minutes, depending on your computer. While the Kaspersky virus removal tool program is checking, you can see number of objects it has identified as threat.
After the scan get finished, Kaspersky virus removal tool will open a list of all threats found by the scan as shown on the image below.
When you are ready, press on Continue to begin a cleaning process.
Run STOPDecrypter to decrypt .cetori files
With some variants of Cetori file virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Cetori decryption tool named STOPDecrypter. It can decrypt .cetori files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Cetori decryption tool
STOPDecrypter is a program that can be used for Cetori files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .cetori files using this free tool.
- STOP Decrypter can be downloaded from the following link. Save it on your Microsoft Windows desktop or in any other place.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the download is done, close all programs and windows on your computer. Open a file location.
- Right-click on the icon that’s named STOPDecrypter.zip. Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is done, right click on STOPDecrypter, choose ‘Run as Admininstrator’. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .cetori files, in some cases, you have a chance to restore your personal files, which were encrypted by crypto virus. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted personal files is given below.
How to restore .cetori files
In some cases, you can recover files encrypted by Cetori crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Use ShadowExplorer to restore .cetori files
If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.
Visit the page linked below to download ShadowExplorer. Save it on your Windows desktop.
439626 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the download is done, extract the downloaded file to a directory on your PC. This will create the necessary files like below.
Run the ShadowExplorerPortable program. Now select the date (2) that you want to restore from and the drive (1) you want to restore files (folders) from similar to the one below.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and click the Export button such as the one below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.
Use PhotoRec to restore .cetori files
Before a file is encrypted, the Cetori crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file recover apps such as PhotoRec.
Download PhotoRec on your system from the link below.
After the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like the one below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen as displayed in the figure below.
Select a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted personal files as displayed on the image below.
Click File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is done, press OK button.
Next, press Browse button to select where recovered personal files should be written, then press Search.
Count of recovered files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as on the image below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your personal computer from Cetori crypto virus?
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your personal computer does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your PC system from Cetori ransomware
All-in-all, HitmanPro.Alert is a fantastic tool to protect your system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows operating system from Windows XP to Windows 10.
Click the link below to download the latest version of HitmanPro.Alert for MS Windows. Save it on your Windows desktop.
When the downloading process is complete, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the tool is started, you’ll be shown a window where you can choose a level of protection, as shown in the figure below.
Now click the Install button to activate the protection.
Finish words
After completing the steps above, your machine should be clean from Cetori crypto virus and other malicious software. Your PC will no longer encrypt your personal files. Unfortunately, if the few simple steps does not help you, then you have caught a new crypto malware, and then the best way – ask for help here.
