Erebus 2017 Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 42 |
First Seen: | February 8, 2017 |
Last Seen: | June 16, 2022 |
OS(es) Affected: | Windows |
The Erebus 2017 Ransomware is a ransomware Trojan first observed in January 2017. A ransomware Trojan going by the name of 'Erebus' was observed in September, 2016. However, It looks like the Erebus 2017 Ransomware is either completely different from its predecessor, meaning that it may be a new ransomware Trojan using the same name, or that the first iteration of this threat was rewritten entirely by the people responsible for the attack. Currently, PC security researchers have not associated the Erebus 2017 Ransomware with a single distribution campaign.
The Erebus 2017 Ransomware Can Bypasses the User Account Control
The Erebus 2017 Ransomware uses a ransom amount that is quite lower than comparable ransomware threats. The Erebus 2017 Ransomware demands a payment of $90 USD from its victims after taking their files hostage. The Erebus 2017 Ransomware bypasses User Account Control to be able to carry out attacks on the victim's computer without displaying a message from UAC. To do this, the Erebus 2017 Ransomware will hijack the Windows application associated with '.msc' files, causing them to launch the Erebus 2017 Ransomware instead. To do this, the Erebus 2017 Ransomware will modify the infected computer's Registry. The Erebus 2017 Ransomware will execute the Windows Event Viewer (eventvwr.exe), which runs the file eventvwr.msc automatically that will prompt Windows to run the Erebus 2017 Ransomware executable due to the change made to the Windows Registry. This bypasses UAC, allowing the Erebus 2017 Ransomware to carry out an effective attack on the victim's computer without prompting any UAC messages.
How the Erebus 2017 Ransomware Infection Works
The Erebus 2017 Ransomware establishes a connection to its Command and Control server and to a website that allows it to determine the victim's IP address and geographical location. The Erebus 2017 Ransomware downloads a TOR client that is used to carry out its communications with its Command and Control server. The Erebus 2017 Ransomware searches for certain file types, using the AES encryption to make them inaccessible completely. Currently, the Erebus 2017 Ransomware searches for the following file types on the victim's computer, using its encryption method to make them inaccessible:
.accdb, .arw, .bay, .cdr, .cer, .crt, .crw, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .pdd, .pef, .pem, .pfx, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .raf, .raw, .rtf, .rwl, .srf, .srw, .txt, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx.
During the attack, the infected files' extensions will be encrypted and show up with different characters. The Erebus 2017 Ransomware also will delete the Shadow Volume Copies of the infected files to prevent computer users from accessing their files. The Erebus 2017 Ransomware displays its ransom note in an HTML file named 'README.HTML,' which is dropped on the infected computer's Desktop, as well as displays a pop-up message. The Erebus 2017 Ransomware pop-up message reads as follows:
'Files crypted!
Every important file on this computer was crypted. Please look on your documents or desktop folder for a file called README.html for instructions on how to decrypt them.
the Erebus 2017 Ransomware's ransom note contains the following text:
Data crypted
Every important file (documents,photos,videos etc) on this computer has been encrypted using an unique key for this computer.
It is impossible to recover your files without this key. You can try to open them they won't work and will stay that way.
That is, unless you buy a decryption key and decrypt your files.
Click 'recover my files' below to go to the website allowing you to buy the key.
From now on you have 96 hours to recover the key after this time it will be deleted and your files will stay unusable forever
Your id is : '[id]' you can find this page on your desktop and document folder Use it to
if the button below doesn't work you need to download a web browser called 'tor browser'
download by clicking here then install the browser, it's like chrome, firefox or internet explorer except it allows you to browse to special websites.
once it's launched browse to http://erebus5743lnq6db.onion'