Erebus Ransomware

Ransomware authors have focused on using the names of gods and goddesses to label their latest crypto-threat creations seriously. After the Locky Ransomware's operators released variants such as the Osiris Ransomware< and the '.thor File Extension' Ransomware, an anonymous group of cybercrooks have opted to follow their footsteps by releasing the Erebus Ransomware, a threat named after the Greek god of darkness. The Erebus Ransomware is your typical piece of crypto-threat that works by applying a strong encryption to files that match its criteria for encryption and then demands a ransom fee whose amount may vary.

The authors of the Erebus Ransomware seem to be a bit more advanced than most ransomware operators we see these days, because they've taken the time to set-up unique payment pages hosted on the Tor network, which makes their harmful operation more anonymous, and therefore protecting themselves. When the Erebus Ransomware infiltrates a computer successfully, it may perform several actions that will ensure that this threat will stay active after the computer has been restarted and users will not be able to get rid of it without the help of credible anti-malware software. Every file that the Erebus Ransomware encrypts also will have it's file extension modified to '.ecrypt' (e.g. 'document.txt' will become 'document.txt.ecrypt'). One peculiar thing about the Erebus Ransomware is that it does not encrypt specific files or folders that are related to important Windows services or applications. It is also worth nothing that it leaves files with the name 'wallet.dat' unharmed since they are usually used to store information about the victim's Bitcoin wallet address, and without it, they might not be able to complete the payment.

The Erebus Ransomware leaves its ransom message in a single file called 'YOUR_FILES_HAS_BEEN_ENCRYPTED.txt,' which is usually stored on the victim's desktop. The ransom note is quite long, and it tells users that their files have been encrypted via an RSA-2048 key securely, which is only stored on a secret server under the control of the attackers. This key is required for file decryption and the only way to get it is to follow the ransomware operator's demands. The victim is then asked to download the Tor browser and visit the payment page where they'll have to provide the unique machine ID found in the ransom note, and in return, they'll see how much they have to pay for decryption. Usually, crypto-threat operators demand 0.5 to 1.5 Bitcoins in exchange for the decryption instructions, but there's no guarantee that the Erebus Ransomware will not be an exception that requires more or less money. Regardless of the sum that the Erebus Ransomware asks victims to pay, we assure users that this is not a reliable way to solve the problem. The Erebus Ransomware's authors offer no guarantee that users will get their data back, and it will not be a major surprise if they end up taking the victim's money without fulfilling their end of the deal.

Having your files locked by the Erebus Ransomware is certainly not an enjoyable thing, especially if you don't have a recent backup that you can use to recover your data. If a backup is not available, then your best shot is to run an anti-malware utility that can fully remove the corrupted files and Registry entries that brought the Erebus Ransomware to your computer. Although this method is not guaranteed to work, some users might be able to recover their files partially by using file recovery software suites. It also is recommended to backup all '.ecrypt' files, since you may need them if a free decryptor for the Erebus Ransomware gets released in the future.

Technical Details