Erebus targets Windows OS and its method of distribution is currently unknown. Once a system is infected, the Erebus installer utilizes a User Account Control (UAC) bypass method to prevent the system from displaying a prompt asking for elevated privileges. It then modifies the Windows registry and changes the .msc file association to launch the Erebus executable. Erebus then launches the Event Viewer (eventvwr.exe), which then opens eventvwr.msc file, launching the ransomware executable with elevated privileges. Once executed, it connects to http://ipecho.net/plain and http://ipinfo.io/country and attempts to identify both the victim’s IP address and location. It then downloads a TOR client and connects to its C2 server. Erebus scans the infected computer for specific file types and then encrypts them using AES encryption. It changes the file extension on encrypted file names by applying ROT-23. It prevents file restoration by the victim by deleting Shadow Volume Copies. Once those processes are finished, Erebus drops a ransom note named README.HTML that displays a unique victim ID, a list of encrypted files, and a button that redirects the victim to the TOR payment site. It also displays a pop-up alerting the victim to the fact that their files were encrypted. The ransom payment demand is .085 Bitcoin or approximately $90 USD (as of 2/7/2017).
- Bleeping Computer provides more information on Erebus here.
- The NJCCIC is not currently aware of any free decryption tool available for Erebus.