Erebus Ransomware

The Erebus Ransomware joins the pantheon of encryption Trojans named after deities like Thor, Osiris and Mahasaraswati. The Erebus Ransomware is named after the Greek god Erebus (also Erebos) who was born out of Chaos and embodies the primordial darkness. Initial threat assessment of the Erebus Ransomware did not reveal connections to other crypto-threats. The Erebus Ransomware appears to be a new project, and we may see new variants of the Trojan. The Erebus Ransomware may be a new actor in the theater of ransomware, but its behavior is nothing more or less than standard compared to other well-known encryption Trojans. The only trait worth of note is that the Erebus Ransomware is using a combination of the RSA-2048 and the AES-256 ciphers to handle the encryption process. The Erebus Ransomware is distributed the same way as most threats in its class. A swarm of email accounts named after legitimate services sends out spam emails to millions of users.

Corrupted Attachments are Used as Proxies to Install the Erebus Ransomware on Remote Systems

Computer users that disable their anti-virus and ignore warnings from their security scanner are likely to be infected with the Erebus Ransomware when downloading a document from the spam folder on the email account. Documents attached to fake invoices and messages from social media like Facebook and Twitter may feature a corrupted macro. The macro is intended to work as a command to the Windows OS, which makes your computer connects to a remote host, download the payload for Erebus Ransomware, unpack it and run the Trojan. This technique is used by the ransomware developers behind the infamous Locky Ransomware and the HDD Encrypt Ransomware.

The encryption engine in the Erebus Ransomware is programmed to look for data on all connected storage devices, which includes media players and USB thumb drives. Security researchers alert that the Erebus Ransomware is able to encode more than four hundred file types. The authors of the Erebus Ransomware may adapt their product to run on server machines, and it is best that server administrators take a note and ensure their backups are stored on an unmapped drive. The Erebus Ransomware does not encipher objects used by the Windows OS and avoids directories like App Data, Program Files and the System Volume Information. That way, the victim can use the affected PC to deliver payment without having to worry about system stability. Encrypted files feature the '.ecrypt' extension and may be flagged by Windows as corrupted. For example, 'The Address on the Wall.jpeg' is transcoded to 'The Address on the Wall.jpeg.ecrypt.'

The Payments for the Erebus Ransomware are Processed via Insecure Pages on the Open Web

The Erebus Ransomware is not as sophisticated as the Cerber 4.0 Ransomware and uses pages on the Open Web instead of the TOR Network to handle payments. The team behind the Erebus Ransomware makes its demands known through 'YOUR_FILES_HAS_BEEN_ENCRYPTED.html' and 'YOUR_FILES_HAS_BEEN_ENCRYPTED.txt,' which compromised users can find on their desktops. Both documents feature the same message and direct the user to open personalized payment portals hosted on the Internet. Users do not need to install the TOR Browser, but they may need to buy a digital currency such as Bitcoin. The digital currency Bitcoin allows anonymous transactions and is accepted as an official payment method by several banks in China in 2016.

You do not need to buy Bitcoins and gamble the survival of your data. Threats like the Erebus Ransomware should be countered with backup managers ready to restore your files from backup images. It is important to note that there are examples of crypto-threats that can delete the Shadow Volume Copies made by Windows and it is best to save your backups and archives on a password protected drive. Your best move may be to invest in a removable storage where you can secure data against threats and power surges. Computer users may want to look into services like Google Drive and make sure they run a reputable security solution that can purge the Erebus Ransomware. The Erebus Ransomware is known to display the following warning on infected machines:

'Warning!
Your documents, photos, databases, important files been encrypted!
What happened to your files?
All of your files were protected by a strong encryption whit RSA- 2048.
More information about the encryption keys using RSA - 2048 can be found here. en.wikipedia.org/wiki/RSA_ (encryption)
What does this mean?
This means that the structure and data within your files have been irrevocably changed. You will not be able to work with them, read them or see them.
It is the same thing as losing them forever. But with our help, you can restore them.
How did this happen?
Especially for you. On our server was generated the secret key pair RSA- 2048 public and private.
All your files were encrypted with the public key. Which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program. Which is on our secret server.
What do I do?
If you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data.
Then we suggest you do not waste valuable time searching for other solutions because they do not exist.'

SpyHunter Detects & Remove Erebus Ransomware