Erebus 2017 Ransomware Virus (Removal Steps and Protection Updates)

Security experts discovered a new virus called Erebus 2017 ransomware which is descendant from the original Erebus malware, continue reading our removal guide to find out more about it.


Name
Erebus 2017 Ransomware

File Extensions
.***

Ransom
0.085 Bitcoins

Solution #1
You can skip all steps and remove Erebus 2017 Ransomware with the help of an anti-malware tool.

Solution #2
Erebus 2017 Ransomware ransomware can be removed manually, though it can be very hard for most home users. See the detailed tutorial below.

Distribution
Spam Email Campaigns, malicious ads & etc.

Erebus 2017 Ransomware Description

The Erebus 2017 ransomware strain has emerged, from the name we can see that this is a descendant of the core Erebus threat which was identified a few weeks ago.

The security analysis that this is different virus and it introduces significant code changes. At the moment the security analysis is still ongoing. However from the preliminary observation we can conclude that it comes with several dangerous features.

  • The malware is able manipulate various processes – spawning, querying and extracting information about them.
  • The virus engine can query the Internet cache settings, a strategy often used to hide the malicious footprints in the index.dat or the Internet cache.
  • Erebus 2017 is able to scan for any installed or running security software solutions.
  • The virus is able to modify configuration files, drop files, delete data and execute various processes.
  • The creators of the virus can use it to execute arbitrary commands on the infected hosts.
  • Network communications with the remote C&C servers allow for remote control and spying.

The Erebus 2017 ransomware also deletes all Shadow Volume Copies which makes data recovery very difficult.

As usual the ransomware encrypts target user data which includes the most popular file type extensions – documents, photos, music, configuration files, backup images and etc. All affected data receive the .*** extension.

The following ransomware note is crafted and displayed to the victims:

Your files are still Encrypted
Your files have been Encrypted and are unusable unless you purchase a decryption key. The key will be deleted in 96 hours.
you still have 95 hours 59 minutes 50 seconds before the key deletion, once the key is destroyed, you will not be able to recover your files
Pay via Bitcoin
To buy the private key (decryption key) and decrytor you will need some bitcoins.
Bitcoin is a currency, just like dollars and euros but entirely on the internet.
1 : Get a wallet
Just like in real life you need a wallet to hołd your coins when you’ll buy them
we suggest https://blockchain.info/ it’s a website easy to use, you’ll be set in no time!
2 : Buy some bitcoins
Depending on your country you can buy them using various ways (paypal/credit card/ cash etc).
Look at this website https://www.buybitcoinworldwide.com to find where to buy some or just search on google yourslef.
Note that one of the fastest and easiest way is via https://localbitcoins.com/ because you buy bitcoins directly to other people.
you could have a meeting tomorrow and buy them using cash instantly.
3 : Payment
you need to buy 0,085 btc (bitcoins) and send them to this address : [redacted] once you’ve paid, wait a bit. the process can take up to 24 hours for us to check the payment. Then, you will recieve on this same page your private key and a link to the decryption program that will automatically decrypt all your files so you can use them as before
you still have 0.085 bitcoins left to pay

Data crypted
Every important file (documents, photos, videos etc) on this computer has been encrypted using an unique key for this computer.
It is impossible to recover your files without this key. You can try to open them they won’t work and will stay that way.
That is, unless you buy a decryption key and decrypt your files.
Click ‘recover my files’ below to go to the website allowing you to buy the key.
From now on you have 96 hours to recover the key after this time it will be deleted and your files will stay unusable forever
Your id is : ***
” you can find this page on your desktop and document folder
Use it to if the button below doesn’t work you need to download a web browser called ‘tor browser’ download by clicking here then install the browser, it’s like chrome, firefox or internet explorer except it allows you to browse to special websites.
once it’s launched browse to
button ‘Recover my files’
Crypted Files :

Hello, please enter your id
‘Submit’

All network traffic from and to the remote C&C servers is encrypted with SSL.

Erebus 2017 Ransomware Distribution

The Erebus 2017 is primarily distributed using the most popular infection methods:

  • Software Bundles – Many viruses are bundled with software downloaded from the Internet. In some cases the user may opt to remove them from the installation package by unticking a certain box. Such bundles are frequently found on untrusted or hacked download sites and P2P networks like Bittorrent.
  • Email Messages – Hackers can use spam messages that contain the virus samples directly attached to them or link it in the body text. The criminal operators may opt to use social engineering tricks and disguise the virus as an important document.
  • Dangerous Redirects Malicious ads, browser hijackers and hacked sites can also lead to virus infections.

The C&C servers that distribute the virus have been identified in the following countries – The USA, France, Italy, Albania and Ukraine.

Erebus 2017 Ransomware – How To Remove it and Prevent It From Coming Back

There are two ways of removal:

Erebus 2017 Ransomware Ransomware Removal

For a faster solution, you can run a scan with an advanced malware removal tool and delete Erebus 2017 Ransomware completely with a few mouse clicks.

STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently.

    1) Hit WIN Key + R

Windows-key-plus-R-button-launch-Run-Box-in-Windows-illustrated

    2) A Run window will appear. In it, write “msconfig” and then press Enter
    3) A Configuration box shall appear. In it Choose the tab named “Boot
    4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
    5) Apply -> OK

Or check our video guide – “How to start PC in Safe Mode with Networking

STEP II: Show Hidden Files

    1) Open My Computer/This PC
    2) Windows 7

      – Click on “Organize” button
      – Select “Folder and search options
      – Select the “View” tab
      – Go under “Hidden files and folders” and mark “Show hidden files and folders” option

    3) Windows 8/ 10

      – Open “View” tab
      – Mark “Hidden items” option

    show-hidden-files-win8-10

    4) Click “Apply” and then “OK” button

STEP III: Enter Windows Task Manager and Stop Malicious Processes

    1) Hit the following key combination: CTRL+SHIFT+ESC
    2) Get over to “Processes
    3) When you find suspicious process right click on it and select “Open File Location
    4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process
    5) Next you should go folder where the malicious file is located and delete it

STEP IV: Remove Completely Erebus 2017 Ransomware Ransomware Using SpyHunter Anti-Malware Tool

Manual removal of Erebus 2017 Ransomware requires being familiar with system files and registries. Removal of any important data can lead to permanent system damage. Prevent this troublesome effect – delete Erebus 2017 Ransomware ransomware with SpyHunter malware removal tool.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

STEP V: Repair Windows Registry

    1) Again type simultaneously the Windows Button + R key combination
    2) In the box, write “regedit”(without the inverted commas) and hit Enter
    3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
    4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Further help for Windows Registry repair

STEP VI: Recover Encrypted Files

    1) Use present backups
    2) Restore your personal files using File History

      – Hit WIN Key
      – Type “restore your files” in the search box
      – Select “Restore your files with File History
      – Choose a folder or type the name of the file in the search bar

    restore-your-personal-files-using-File-History-bestecuritysearch

      – Hit the “Restore” button

    3) Using System Restore Point

      – Hit WIN Key
      – Select “Open System Restore” and follow the steps

restore-files-using-system-restore-point

STEP VII: Preventive Security Measures

    1) Enable and properly configure your Firewall.
    2) Install and maintain reliable anti-malware software.
    3) Secure your web browser.
    4) Check regularly for available software updates and apply them.
    5) Disable macros in Office documents.
    6) Use strong passwords.
    7) Don’t open attachments or click on links unless you’re certain they’re safe.
    8) Backup regularly your data.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Avatar

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *