Threat Database Ransomware ERIS Ransomware

ERIS Ransomware

By GoldSparrow in Ransomware

A new data-locking Trojan has been spotted circulating the Web recently. It goes by the name ERIS Ransomware and does not seem to belong to any of the popular ransomware families.

It is not clear what the exact infection vector of the ERIS Ransomware is but it is widely believed that the authors of this threat may be using fake software updates, pirated media, as well as spam emails containing macro-laced attachments. If the ERIS Ransomware penetrates a computer successfully, it will waste no time and will start scanning the machine infiltrated to locate the files it was programmed to target immediately. When the data is located, the ERIS Ransomware will begin encrypting it. The ERIS Ransomware alters the names of the files affected by adding the '.ERIS' extension. This means that if you had called an audio file 'Billie-Eilish-interview.mp3' the ERIS Ransomware would change it to 'Billie-Eilish-interview.mp3.ERIS.' In addition to marking the names of the encrypted files, the ERIS Ransomware also will create a new end of file (EOF) file marker - '_FLAG_ENCRYPTED.'

The purpose of this action is not clear, but it might be used to prevent the ERIS Ransomware from encrypted files multiple times, as well as help the decryptor identify the files that need to be decrypted. Then, the ERIS Ransomware drops a ransom note named '@ READ ME TO RECOVER FILES @.txt.' In the note, the attackers state that they have applied the Salsa20 and RSA-1024 encryption algorithms, and there is no way for you to recover your data without their help. The authors of the ERIS Ransomware require $825 and insist that the ransom fee is in the shape of Bitcoin and instruct the victim on how to obtain Bitcoin. Then, to prove that they are capable of decrypting the locked data, the attackers offer to unlock one file for free, as long as it is smaller than 1MB in size. The creators of the ERIS Ransomware also provide six-steps instructions on how to supposedly recover the locked data. The attackers also give out their email address – erisfixer@tuta.io.

It is crucial to remind you that it is never advisable to contact cybercriminals like the ones behind the ERIS Ransomware. Do not attempt to negotiate with such individuals. Instead, you should make sure to obtain a legitimate anti-malware application and keep it updated so that you do not end up in the hands of cyber crooks.

Related Posts

Trending

Most Viewed

Loading...