Erebus 2017 Ransomware Removal Guide

Erebus 2017 Ransomware does not enter computers to act in a good way. The first thing it rushes to do after successfully infiltrating computers and bypassing their UAC (User Account Control) security features is to find files having such filename extensions as .crw, .doc, .jpg, .kdc, .mdf, .txt, .wpd, .xlk, .wps, .xlsm, .odp, .pef, .pfx, .png, .ppt, and others. Once all these files are located, the encryption process starts. Users do not know what is happening on their PCs until they see a pop-up window saying that “every important file on this computer was encrypted.” Encrypting personal users’ files is the activity that has placed this malicious application into the category of ransomware. Just like similar infections with a label “ransomware”, it acts like this not without reason. Cyber criminals have developed this file-encrypting computer infection so that they could easily obtain money from users. Sending money to the author of this threat expecting that it will give the decryption key is not recommended because even though they promise to hand in the decryption key immediately after receiving money from users, there are no guarantees that this key will be sent to users as promised. In this case, a refund will not be issued too, which means that not only files but also money will be lost forever.

Erebus 2017 Ransomware makes one important modification in the system registry so that it could start with the same privileges as Event Viewer (a component of the Windows OS) and, consequently, bypass the User Account Control. Specifically speaking, it should create its own random name Value in HKCU\Software\Classes\mscfile\shell\open\command containing the Value data %UserProfile%\[random].exe. After the successful infiltration, it immediately starts encrypting users’ files. Unlike similar computer infections, it does not append a new filename extension to encrypted files. Instead, the ROT-23 letter substitution cipher is used to change encrypted files’ extensions. The new extension appended depends on the original one used, for instance, files with .txt original extensions receive the .waw extension. After encrypting the most valuable users’ files, this ransomware infection creates ransom notes README.html in all places on the affected computer. This file is created to tell users what they can do to get their files decrypted. As it could be expected, the decryption key has to be purchased within 96 hours to be able to unlock files encrypted by Erebus 2017 Ransomware. More information about the payment is provided on the page http://erebus5743lnq6db.onion (it can be opened from README.html). Evidently, users need to purchase the decryption key so that they could unlock their files. The price of this key depends on a number of files encrypted, but it should be about 0.11 Bitcoin, approximately $120. You can take a risk and pay money for the decryption key, or you can recover files from a backup after fully deleting Erebus 2017 Ransomware from the computer. It is up to you what you are going to do, but do not forget to remove this ransomware infection no matter what you decide.

What makes Erebus 2017 Ransomware quite a unique infection is not only the type of cipher used or the fact that it is capable of bypassing the User Account Control. It differs from similar file-encrypting threats because it deletes all Windows Volume Shadow Copies with a command cmd.exe /C vssadmin delete shadows /all /quiet && exit immediately after the encryption of files so that it would be impossible to for users to crack the cipher and decrypt their files without the decryption key. Last but not last, specialists also find it interesting that this infection keeps connecting to altus.ip-connect.net.ua and lh25627.voxility.net:9001 domains. Specifically speaking, it connects to the Internet every day. It is one of the reasons this infection cannot be left on the computer.

Due to changes Erebus 2017 Ransomware applies when it successfully enters computers, users find the removal of this threat quite complicated. Since there are so many users who do not even know where to start to erase this infection, specialists working at 411-spyware.com have created the step-by-step manual removal instructions for users. Of course, the easiest way to remove it is to scan the computer with an automatic malware remover. A reputable scanner will find all executable files, Values, and processes belonging to ransomware and remove them all. Use SpyHunter to get all malicious components deleted in the blink of an eye.

Remove Erebus 2017 Ransomware manually

1. Open the Windows Explorer and type %UserProfile% in the URL bar. Press Enter.
2. Check if there is an executable (.exe) file belonging to ransomware there. Delete it.
3. Press Win+R, type regedit, and click OK.
4. Move to HKCU\Software\Classes\mscfile\shell\open\command.
5. Delete the Value of the ransomware infection (it should have a random name, and its Value data should be similar to %UserProfile%\[random].exe).
6. Check the Task Manager (open it by pressing Ctrl+Shift+Esc). Kill suspicious processes if there are any.
7. Remove README.html files left by the ransomware infection.
8. Press Win+E to open the Windows Explorer again.
9. Open %Temp% and delete tor and tor.zip.
10. Delete tor from %AppData%.
11. Remove all suspicious files downloaded recently.