Erebus targets Windows OS and its method of distribution is currently unknown. Once a system is infected, the Erebus installer utilizes a User Account Control (UAC) bypass method to prevent the system from displaying a prompt asking for elevated privileges. It then modifies the Windows registry and changes the .msc file association to launch the Erebus executable. Erebus then launches the Event Viewer (eventvwr.exe), which then opens eventvwr.msc file, launching the ransomware executable with elevated privileges. Once executed, it connects to http://ipecho.net/plain and http://ipinfo.io/country and attempts to identify both the victim’s IP address and location. It then downloads a TOR client and connects to its C2 server. Erebus scans the infected computer for specific file types and then encrypts them using AES encryption. It changes the file extension on encrypted file names by applying ROT-23. It prevents file restoration by the victim by deleting Shadow Volume Copies. Once those processes are finished, Erebus drops a ransom note named README.HTML that displays a unique victim ID, a list of encrypted files, and a button that redirects the victim to the TOR payment site. It also displays a pop-up alerting the victim to the fact that their files were encrypted. The ransom payment demand is .085 Bitcoin or approximately $90 USD (as of 2/7/2017).
UPDATE 6/15/2017: Trend Micro discovered that Erebus is now capable of infecting systems and servers running the Linux operating system as it was observed impacting 153 Linux-based servers of NAYANA, a South Korean web-hosting company. The hackers behind this campaign initially demanded a ransom payment of 550 Bitcoin (~$1.62 million) from the company. However, NAYANA was able to negotiate the ransom payment down to 397.6 Bitcoin (~$1.01 million) to be paid in installments. Researchers believe that the hackers exploited known vulnerabilities against outdated Linux kernels, Apache versions, and PHP versions.
- Bleeping Computer provides more information on Erebus here.
- The NJCCIC is not currently aware of any free decryption tool available for Erebus.