Erebus Ransomware

Erebus Ransomware was first detected in September, 2016, but it might still sneak onto your computer today if you are not careful enough. This computer infection is categorized as ransomware because it has all the features of this type of threat: it enters computers to encrypt users’ files and then demands money from them. Unlike similar ransomware infections, this threat does not tell users to pay money immediately – you will not find this information in the ransom note. Instead, the amount of money that has to be paid for the decryption key might be provided on any of these websites (http://wsb5cxo671abtrsg.j57xi.top/ and http://nicc3j2o5rtsllvw.j57xi.top/) (they can be opened using TOR only) listed in the ransom note. Never pay money to cyber criminals who have developed a file-encrypting threat even if you need to get your files back badly because a) there are no guarantees that you will receive a tool for unlocking them, b) it might be possible to recover files without the special key they offer users to purchase, and 3) users give developers of malicious software a reason to continue creating bad software in the future. Therefore, the smartest decision would be to delete Erebus Ransomware fully and then go to recover files. You will find more information about alternative file decryption methods provided in this article.

Erebus Ransomware does not try to stay unnoticed once it is inside the system. It immediately starts encrypting files when it is inside the computer. It uses the RSA-2048 encryption algorithm to do that so that users could not crack the private key easily and unlock files without paying the required money. Unfortunately, many users decide to transfer money because they notice that all their files, except bootsect.bak, desktop.ini, iconcache.db, ntuser.dat, thumbs.db, and wallet.dat (these are mainly system files), have received a new filename extension .encrypt, meaning that they have been locked. The names of all these files are changed to a jumble of random letters and symbols too. Last but not least, the cherry on top, it deletes Shadow copies of files. Unfortunately, it means that third-party tools might not help you to get your files back. Of course, we do not say that you should not even give it a try. If you find that all third-party recovery tools do not work, you can recover files from a backup. It has not been encrypted by Erebus Ransomware only if it is located outside the system. This is your only chance to unlock files without the special key.

It does not surprise specialists at all that the majority of people do not know how Erebus Ransomware has entered their computers because this happens illegally. As research has shown, this computer infection often appears on computers when users click on malicious advertisements. In most cases, such commercials are opened on untrustworthy third-party websites or file-sharing pages. As you can see, ads might be quite dangerous too, so do not click on commercials if they are shown on third-party web pages, especially if you have doubts about the trustworthiness of a website showing these ads. Unfortunately, it is not the only way ransomware infections are distributed. It is also known that they might be dropped on computers by other malicious applications, e.g. Trojans. On top of that, they might be spread in spam emails as legitimate-looking attachments. They enter computers immediately when users open these attachments. Of course, it might be extremely hard to notice that ransomware is trying to get onto the system. To be frank, it is impossible to ensure the maximum protection of the computer without the security application, so security specialists at pcthreat.com suggest that you go to install one on your PC if it is unprotected yet.

Unfortunately, files encrypted by Erebus Ransomware will not be unlocked, but it is still advisable to remove this threat as soon as possible in order not to let it launch and encrypt new files again. The removal of this infection will definitely not be the easiest task, but you should be able to get rid of it yourself if you use the manual removal instructions provided below this report. If our instructions do not tell you much, go to scan your computer with an automatic malware remover SpyHunter. Click the Download button at the bottom of the page to get it.

Erebus Ransomware manual removal guide

1. Press Win+R.
2. Type regedit in the box you see and click OK.
3. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
4. Find the Value of Erebus Ransomware, e.g. GoogleChromeAutoLaunch_[RandomSymbols].
5. Right-click on it and select Delete.
6. Close the Registry Editor and press Win+E.
7. Type %APPDATA% in the URL bar at the top and press Enter.
8. Delete the following files: [random symbols].conf, [random symbols].conf, and [random symbols].res .
9. Remove DECRYPT.txt, YOUR_FILES_HAS_BEEN_ENCRYPTED.html, and YOUR_FILES_HAS_BEEN_ENCRYPTED.txt from the following directories:

• %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
• %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
• %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
• %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
• %ALLUSERSPROFILE%\Start Menu\Programs\Startup