The MalwareHunterTeam has recently found a sample of a potentially new infection, named Erebus ransomware. A few months earlier, in September 2016, TrendMicro had reported another ransomware using the same name. However, presently there is no information on how the Erebus ransomware is being distributed, though the parasite’s analysis reveals rather interesting features.
Its first and most significant characteristics is the low ransom amount of ~$90 USD being requested by Erebus. Among the other interesting features is the use of a UAC bypass allowing the ransomware to run at elevated privileges without displaying an UAC prompt.
Being executed, the installer for Erebus will utilize a User Account Control (UAC) bypass method so that users will not be prompted to allow the program to run at higher privileges. It does this by copying itself to a random named file in the same folder. Then, it will modify the Windows registry in order to hijack the association for the .msc file extension in order to launch the random named Erebus executed instead.
After that, Erebus will execute eventvwr.exe (Event Viewer), which will automatically open the eventvwr.msc file. Due to the fact that the .msc file is not associated with mmc.exe anymore, but only with the random named Erebus executable, Event Viewer will launch Erebus instead. As Event Viewer runs in a elevated mode, the launched Erebus executable will also launch with the same privileges. This is how Erebus bypasses the User Account Control.
Being executed, Erebus will connect to http://ipecho.net/plain and http://ipinfo.io/country in order to determine the victim’s IP address and country that they are located in. After that, it will download a TOR client and use it to connect to the website’s Command & Control server. Then, Erebus will begin to scan the victim’s PC searching for particular file types and as soon as it detects a targeted file type, it will encrypt it using AES encryption.
After encrypting a file, Erebus will encrypt the extension using RPT-23. For instance, a file named test.jpg would be encrypted and renamed as test.msj. During this process, Erebus will also clear the Windows Volume Shadow Copies so that they cannot be used to recover files. The command executed to clear the shadow copies is: cmd.exe /C vssadmin delete shadows /all /quiet && exit .
Once the ransomware has finished encrypting the PC, it will display the ransom note located on the Desktop, called README.HTML. The note will contain a unique ID which can be used to login to the payment website, a list of encrypted files, and a button that takes you to the TOR payment website. In addition, Erebus will display a message box on the Windows desktop notifying the user that their files are encrypted.
After a victim clicks on the Recover my files button, they will be brought to Erebus’ TOR payment site where they will get payment instructions. Currently, the ransom payment is set to .085 bitcoins, which is ~$90 USD.
The only problem with Erebus ransomware is that presently there is no way to decrypt the locked files for free.