Erebus 2017 Ransomware

Were your files encrypted by Erebus 2017 Ransomware? If they were, your operating system must be vulnerable, and it could be infected by other dangerous infections; if that has not happened already. There is another infection that is known by the name “Erebus Ransomware,” but you should not confuse the two because they were created by different malware creators. The newer threat that we are discussing in this report is much more suspicious in a way that it operates. For one, it tries to bypass UAC (User Account Control), which is a security feature that stops you from changing system’s settings by accident. If the ransomware bypasses UAC, it can make unauthorized changes, as well as start using the privileges of other programs, and that, of course, can be extremely dangerous. Needless to say, the main goal behind this infection is to make you pay a ransom in return of a “unique key” that allegedly is the only thing that can help you decrypt your files. Of course, the purpose of this article is to help you remove Erebus 2017 Ransomware, but we have to warn you that this will not resolve the issue regarding the encrypted files.

Some of the files types that Erebus 2017 Ransomware encrypts include .doc, .docx, .jpg, .ppt, and .raw. The strange thing is that the ransomware does not encrypt them using one of the more commonly used encryption methods, such as AES or RSA. Instead, it employs the ROT-23 method, using which the Erebus 2017 Ransomware replaces the targeted file’s extension with a different extension. Although it is fairly easy to figure out which replacement was used, you cannot restore the data of the file by changing it. Needless to say, this makes it impossible to restore the files manually. Furthermore, Erebus 2017 Ransomware deletes Volume Shadow Copies using a special command (“cmd.exe /C vssadmin delete shadows /all /quiet && exit”), which means that you cannot restore your personal files even if you have set up a system restore point. Once all of that is done, the infection displays a pop-up alert warning you about the encryption of your files and pointing you to the file called “README.html” (the file should have multiple copies with different numbers attached to its name, such as “README1.html”). Because the infection tries to determine your geographical location by connecting to certain servers, it is possible that the ransom note is represented according to your language.

The ransom note represented by Erebus 2017 Ransomware informs that you need a key to have your files decrypted. So, how do you get this key? Unfortunately, only cyber criminals can provide you with it, and they want a ransom fee to be paid within 96 hours for that. The message includes a unique ID number that you are asked to present when you pay the ransom at http://erebus5743lnq6db.onion. In order to access this website, you might have to download the Tor Browser, which is not malicious, but it enables access to sites that regular browsers would not give you access to. The sum of the ransom can be random, but it should be around 0.1 Bitcoin, which, at the time of research, was around 100 USD. Should you pay this ransom? That is up to you, but we have to warn you that the cyber crooks behind this infection could keep the key to themselves even after you pay the ransom. After all, cyber crooks are unpredictable.

The instructions that we have created show how to delete Erebus 2017 Ransomware from your operating system manually. Unfortunately, some of the steps are pretty vague because the main launcher of the infection – which is the main thing you need to worry about – can have a random name. Also, its location is unknown as well. If you are unable to locate and eliminate the malicious components manually, do not waste your time; especially when there is a chance that you could make mistakes. Luckily, an automated malware detection and removal tool can successfully eliminate Erebus 2017 Ransomware from your operating system in no time. Even better, it can also erase other active threats that might have invaded your computer previously. One of these threats might be responsible for the infiltration of the ransomware itself.

Manual Removal

1. Launch Windows Explorer by tapping Win+E keys.
2. Enter %UserProfile% into the address bar at the top.
3. Right-click and Delete the [random].exe file created by the ransomware (might not exist in your case).
4. Launch RUN by tapping Win+R keys.
5. Enter regedit.exe and click OK to access Registry Editor.
6. Move to HKCU\Software\Classes\mscfile\shell\open\command.
7. Right-click the value that represents the [random].exe file (again, might not exist) and select Delete.
8. Now, check every location where the malicious [random name].exe file (the launcher) might be, including the Temp, Downloads, and Desktop folders (if you cannot find it, try using a malware scanner). Delete it.
9. Right-click and Delete the file called README.html on the Desktop.
10. Empty Recycle Bin to get rid of any ransomware-related files.
11. Install a malware scanner to inspect your operating system and check for potential leftovers.