Erebus Ransomware Removal

I wrote this article to help you remove Erebus Ransomware. This Erebus Ransomware removal guide works for all Windows versions.

Erebus ransomware belongs to the category of Trojan cryptoviruses. The win-locker was released in September 2016. Its rate of distribution was low up until the second build. Note that it is not certain whether the current program is in fact a later version. The coding scheme, the user interface, and the files are entirely different. The current Erebus ransomware is either a complete rewrite, or it has been created by different developers. Since both variants are active and they may be independent, we will cover both of them in this article.

The first aspect we will talk about is the distribution techniques the infections use. Since the second program was just discovered, its distribution process has not been observed yet. We can only list the propagation vectors of the first version of Erebus ransomware. The furtive program is spread via the RIG exploit kit (EK). The payload can be less than 1 megabyte in size. You could contact the rogue software from different sources. Both spam emails and corrupted websites can contain the payload.

When Erebus ransomware is transferred via a spam campaign, it will be concealed in an attachment. The sender will present the file as a document and state that the matter is urgent. The purpose is to make the user open the file on impulse. This is a common old trick. You should never access a file before you have made sure it comes from a trustworthy sender. To proof the reliability of an email, check the contacts. Be advised that entering a compromised domain can be enough to allow Erebus ransomware into your computer. You need to choose your sources wisely. Do your research on the websites you have not visited before. If they are dangerous, experts would be warning about them. Note that a redirect link can also prompt a drive-by installation.

Remove Erebus Ransomware
The Erebus Ransomware

The Erebus ransomware version experts just discovered has more advanced functions. It hijacks the association for the .msc file extension. This allows the nefarious program to perform a user account control (UAC) bypass. The result is that victims are not prompted to give Erebus ransomware higher privileges. The win-locker copies itself to a file named [random].exe and places it in the same folder where the .msc file is located. It modifies the registry to have its executable launched rather than the mmc.exe file. The shady program prompts the Event Viewer (eventvwr.exe) to open the ransomware executable. Since the eventvwr.exe process runs in an elevated mode, [random].exe is also launched with higher privileges.

Erebus ransomware locks files using advanced cryptography. Both variants of the win-locker employ the RSA-2048 cipher. The current build targets 60 formats, while the previous instance encrypts 423 file types. The nefarious program generates a set of a public encryption and a private decryption key. They are unique for every infected computer. The recently found Erebus ransomware build excludes certain folders and files from the encryption. It does not touch the objects whose inability to function could lead to system failures. In addition, the current version deploys the Caesar cipher (ROT-23) to further rearrange the code scheme. The previous build appends the .ecrypt extension to the names of the locked objects, while the current adds the .msj extension.

The first build of Erebus ransomware creates a couple of ransom notes. Their names contain an error. The renegade developers have titled the documents YOUR_FILES_HAS_BEEN_ENCRYPTED.txt and YOUR_FILES_HAS_BEEN_ENCRYPTED.html. Their content is written properly. The second version drops a single ransom note on the desktop. The file is named README.html. The owners of Erebus ransomware have raised the security level by hosting the payment website on the Tor browser network. This client hides their physical location. The cyber criminals accept the ransom in bitcoins. For the second build, they have set the sum at 0.085 BTC. This converts to approximately $90 USD. Bitcoin platforms do not enable tracking which makes it impossible to identify the cyber thieves.

Analysis on Erebus ransomware has revealed that it deletes the shadow volume copies of the locked objects. A custom decrypter for the win-locker is yet to be created. This eliminates the possibility of recovering your files on your own. Although paying the ransom may be the only way to regain your files at this point in time, we do not advise you to do so. You cannot trust the people behind Erebus ransomware to make good on their end of the deal. Even if they do provide the decryption key, they could leave remnants of the win-locker on your system. A second attack could occur in the future.

Erebus Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Erebus Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link:
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Erebus Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.