February 08, 2017
A sample of a potentially new ransomware called Erebus has been discovered by MalwareHunterTeam on VirusTotal. I say that this is a potentially new ransomware because TrendMicro had reported another ransomware using the same name was previously released back in September 2016. Though I do not have a sample of the original Erebus, from its outward characteristics, the one discovered today looks like either a complete rewrite or a new ransomware using the same name..
While at this time, it is not currently known how Erebus is being distributed, analysis of the ransomware shows some interesting features. The first, and most noticeable features, is the low ransom amount of ~$90 USD being requested by the ransomware. Another interesting features is its use of a UAC bypass that allows the ransomware to run at elevated privileges without displaying a UAC prompt.
Erebus performs a UAC Bypass by Hijacking the MSC File Association
When the installer for Erebus is executed, it will also utilize a User Account Control (UAC) bypass method so that victim's will not be prompted to allow the program to run at higher privileges. It does this by copying itself to a random named file in the same folder. It will then modify the Windows registry in order to hijack the association for the .msc file extension so that it will launch the random named Erebus executed instead.
The hijacked keys are shown below.
Erebus will then execute eventvwr.exe (Event Viewer), which in turn will automatically open the eventvwr.msc file. As the .msc file is no longer associated with mmc.exe, but now with the random named Erebus executable, Event Viewer will launch Erebus instead. As Event Viewer runs in a elevated mode, the launched Erebus executable will also launch with the same privileges. This allows it to bypass User Account Control.
A big thanks to MalwareHunterTeam for pointing out the article that describes this bypass.
How Erebus Encrypts a Computer
When Erebus is executed it will connect to http://ipecho.net/plain and http://ipinfo.io/country in order to determine the victim's IP address and country that they are located in. It will then download a TOR client and use it to connect to the site's Command & Control server.
Erebus will then begin to scan the victim's computer and search for certain file types. When it detects a targeted file type, it will encrypt the file using AES encryption. The current list of targeted files are:
When Erebus encrypts a file, it will encrypt the extension using ROT-23. For example, a file called test.jpg would be encrypted and renamed as test.msj.
During this process, Erebus will also clear the Windows Volume Shadow Copies so that they cannot be used to recover files. The command executed to clear the shadow copies is:
When it has finished encrypting the computer, it will display the ransom note located on the Desktop called README.HTML. This ransom note will contain a unique ID that can be used to login to the payment site, a list of encrypted files, and a button that takes you to the TOR payment site.
Erebus Ransomware Ransom Note
Erebus will also display a message box on the Windows desktop alerting the victim that their files are encrypted.
Message Box Alert
When a victim clicks on the Recover my files button, they will be brought to Erebus' TOR payment site where they can get payment instructions. At this time the ransom amount is set to .085 bitcoins, which is approximately $90 USD.
Eerebus Ransomware Payment Site
Unfortunately, at this time there is no way to decrypt files encrypted by Erebus for free. For those who wish to discuss this ransomware or receive support, you can use our dedicated help topic: Erebus Ransomware Support & Help Topic.
Associated Erebus Ransomware Files:
Registry entries associated with the Erebus Ransomware
Message Box Alert Text:
Ransom Note Text: