Erebus 2017 Ransomware

What is Erebus 2017 Ransomware?

Erebus 2017 Ransomware is a new malicious application encrypting files. Some specialists say that it is a new updated version of Erebus Ransomware, which was spotted some time ago by malware analysts, but it is more likely that it belongs to another creator. Even if it turns out to be true that it is a new version of Erebus Ransomware, Erebus 2017 Ransomware does not share many similarities with this old version. Of course, just like all threats that fall into the category of ransomware, it also encrypts users’ files. Judging from a long list of filename extensions it targets, users could no longer access Word documents, pictures, text files, slides, and other valuable files after this threat performs the file encryption process. Even though this file-encrypting threat does not have an extension it appends to all encrypted files, original extensions of the encrypted data are still changed using the ROT-23 method. It is a simple letter substitution cipher, so, for example, the icon_128.sqj file receives a new extension the icon_128.png. Ransomware infections rarely use this method to change original extensions of those files they encrypt, which makes Erebus 2017 Ransomware quite a unique ransomware infection. Of course, it does not mean that this file-encrypting threat is not harmful even though it is quite new and unique, so your top priority now should be to delete this infection fully from the system.

What does Erebus 2017 Ransomware do?

Erebus 2017 Ransomware has been categorized as ransomware not without reason, of course. It bypasses the User Account Control and then starts encrypting users’ files. This process finishes when a pop-up window Files crypted! appears. It informs users that files stored on the computer have all been encrypted, and they should go to check a file called README.html to find out more information on the decryption of personal files. Users find out that a “unique key” generated for the computer has been used to lock files, and “it is impossible to recover your files without this key.” Of course, cyber criminals behind Erebus 2017 Ransomware offer users to purchase this decryption key by visiting http://erebus5743lnq6db.onion via the TOR browser this infection installs and then paying the required amount of money within 96 hours. The price of the key depends on a number of files locked, but it should be about ~0.11 Bitcoin (~ 112 USD). Unfortunately, sending money to cyber criminals might be the only way to get files back if you do not have their copies stored on an external device because Erebus 2017 Ransomware deletes Windows Volume Shadow Copies of files too to make sure that users cannot decrypt their files using third-party software. Of course, specialists cannot promise users that all victims will receive decryption keys after sending money. It is up to you whether or not to spend money on a key that you might not even get, but keep in mind that specialists do not think that it is a good idea to do that.

Users’ files will not be unlocked if Erebus 2017 Ransomware is fully removed, but it is still advisable to do that so that it could not reach new files and encrypt them again. Also, it has been found that this malicious application keeps connecting to altus.ip-connect.net.ua and lh25627.voxility.net:9001 constantly, meaning that it uses the Internet connection without a user’s consent and might slow it down. The deletion of this infection is the only way to put an end to this activity. Unfortunately, Erebus 2017 Ransomware is not the only file-encrypting infection that is spread through the web these days, so the installation of a reputable security tool after the elimination of Erebus 2017 Ransomware is highly recommended.

Where does Erebus 2017 Ransomware come from?

There is not that much information about the distribution of this threat, but, according to security specialists working at anti-spyware-101.com, it should not differ from the dissemination method used to spread similar infections. Specifically speaking, it should enter computers illegally, most probably, when users open spam email attachments. Of course, ransomware infections might be hiding on corrupted third-party websites too. Last but not least, they might be dropped by other malicious applications on the system, e.g. Trojans. Being cautious and surfing the web carefully is a key to a clean computer.

How to delete Erebus 2017 Ransomware

The removal of Erebus 2017 Ransomware will not be easy because it installs the TOR application, places an executable file in %UserProfile%, and, finally, might create a suspicious Value in the system registry and add malicious processes. Users who decide to erase this threat manually have to undo those modifications applied on their computers themselves. Of course, users can delete this ransomware infection automatically too. In the opinion of specialists, less experienced users should leave the removal process for a reputable scanner, e.g. SpyHunter because leaving components of ransomware on the system might result in its revival and loss of important files again.

Remove Erebus 2017 Ransomware manually

1. Press Win+E simultaneously to open the Windows Explorer.
2. Visit %AppData% and %Temp% directories.
3. Delete tor and tor.zip (it is located in %Temp% only) from there.
4. Press Win+R and type regedit in the box. Tap Enter.
5. Go to HKLM\Software\Classes\mscfile\shell\open\command.
6. Locate the random name Value, right-click on it, and select Delete.
7. Press Ctrl+Shift+Esc to open the Task Manager and kill suspicious processes(right-click on the ransomware process and click End Process), if there are any.
8. After killing processes that might belong to ransomware, delete recently downloaded suspicious files. They might be located in %Temp%, %AppData%, %UserProfile%\Downloads, and/or %UserProfile%\Desktop.
9. Empty the Recycle bin.
10. Restart your computer.

Download Removal Tool100% FREE spyware scan and
tested removal of Erebus 2017 Ransomware*