ERIS Ransomware

The ERIS Ransomware is a threatening file-encryption Trojan that appears to be active in Australia currently, but it is likely that its operators will target other regions as well. Naturally, the purpose of the file-locker is to encrypt a large fraction of its victim’s files, and then offer to provide them with a recovery tool in exchange for money. The files that the ERIS Ransomware locks are easy to recognize because of the ‘.ERIS’ extension that the locker will add to their name – for example, the encrypted variant of the file ‘backup.sql’ would be named ‘backup.sql.ERIS.’

After the attack is finished, the ERIS Ransomware drops a ransom note via the file ‘@ READ ME TO RECOVER FILES@.txt,’ which supplies the victim with information about the attack, as well as with payment and contact details. The attackers use the email erisfixer@tuta.io for contact, and state that they want to receive all ransom payments via Bitcoin – an anonymous and secure cryptocurrency payment option.

The perpetrators also promise to decrypt one small file for free to prove that their decryption software is real and working. While we advise you to accept this offer and get one of your files back, we would not advise you to pay any money to the ERIS Ransomware’s authors – they will use the funds to develop more threatening malware, and there is always a chance that they may not provide you with the decryptor you were promised.

Unfortunately, there is no free way to restore the files locked by the ERIS Ransomware – the only viable recovery option is to restore the files from a recent backup. If you are a victim of this file-locker and you do not have a reserve copy of your files, then you may need to try the services of data recovery software. Keep in mind that data recovery tools might be able to undo some of the damage, but it is unlikely that they will restore all files marked with the ‘.ERIS’ extension.