Threat Database Ransomware Erebus 2017 Ransomware

Erebus 2017 Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 42
First Seen: February 8, 2017
Last Seen: June 16, 2022
OS(es) Affected: Windows

The Erebus 2017 Ransomware is a ransomware Trojan first observed in January 2017. A ransomware Trojan going by the name of 'Erebus' was observed in September, 2016. However, It looks like the Erebus 2017 Ransomware is either completely different from its predecessor, meaning that it may be a new ransomware Trojan using the same name, or that the first iteration of this threat was rewritten entirely by the people responsible for the attack. Currently, PC security researchers have not associated the Erebus 2017 Ransomware with a single distribution campaign.

The Erebus 2017 Ransomware Can Bypasses the User Account Control

The Erebus 2017 Ransomware uses a ransom amount that is quite lower than comparable ransomware threats. The Erebus 2017 Ransomware demands a payment of $90 USD from its victims after taking their files hostage. The Erebus 2017 Ransomware bypasses User Account Control to be able to carry out attacks on the victim's computer without displaying a message from UAC. To do this, the Erebus 2017 Ransomware will hijack the Windows application associated with '.msc' files, causing them to launch the Erebus 2017 Ransomware instead. To do this, the Erebus 2017 Ransomware will modify the infected computer's Registry. The Erebus 2017 Ransomware will execute the Windows Event Viewer (eventvwr.exe), which runs the file eventvwr.msc automatically that will prompt Windows to run the Erebus 2017 Ransomware executable due to the change made to the Windows Registry. This bypasses UAC, allowing the Erebus 2017 Ransomware to carry out an effective attack on the victim's computer without prompting any UAC messages.

How the Erebus 2017 Ransomware Infection Works

The Erebus 2017 Ransomware establishes a connection to its Command and Control server and to a website that allows it to determine the victim's IP address and geographical location. The Erebus 2017 Ransomware downloads a TOR client that is used to carry out its communications with its Command and Control server. The Erebus 2017 Ransomware searches for certain file types, using the AES encryption to make them inaccessible completely. Currently, the Erebus 2017 Ransomware searches for the following file types on the victim's computer, using its encryption method to make them inaccessible:

.accdb, .arw, .bay, .cdr, .cer, .crt, .crw, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .pdd, .pef, .pem, .pfx, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .raf, .raw, .rtf, .rwl, .srf, .srw, .txt, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx.

During the attack, the infected files' extensions will be encrypted and show up with different characters. The Erebus 2017 Ransomware also will delete the Shadow Volume Copies of the infected files to prevent computer users from accessing their files. The Erebus 2017 Ransomware displays its ransom note in an HTML file named 'README.HTML,' which is dropped on the infected computer's Desktop, as well as displays a pop-up message. The Erebus 2017 Ransomware pop-up message reads as follows:

'Files crypted!
Every important file on this computer was crypted. Please look on your documents or desktop folder for a file called README.html for instructions on how to decrypt them.

the Erebus 2017 Ransomware's ransom note contains the following text:
Data crypted

Every important file (documents,photos,videos etc) on this computer has been encrypted using an unique key for this computer.
It is impossible to recover your files without this key. You can try to open them they won't work and will stay that way.

That is, unless you buy a decryption key and decrypt your files.
Click 'recover my files' below to go to the website allowing you to buy the key.
From now on you have 96 hours to recover the key after this time it will be deleted and your files will stay unusable forever
Your id is : '[id]' you can find this page on your desktop and document folder Use it to

if the button below doesn't work you need to download a web browser called 'tor browser'
download by clicking here then install the browser, it's like chrome, firefox or internet explorer except it allows you to browse to special websites.
once it's launched browse to http://erebus5743lnq6db.onion'

Trending

Most Viewed

Loading...