Erebus Ransomware Reported Exploiting an UAC Bypass and Seeking a $90 Ransom Payment

Being a new ransomware discovered by security experts at VirusTotal, Erebus Ransomware has been reported as yet another threatening malware program whose distributed method is still unknown. Though likewise various other ransomware programs, the aforementioned ones also includes tendency of gaining silent invasion inside the PC without the user’s assent and generally targeting the computer systems having Windows OS installed in them, but yet unlike them this threat includes some totally distinct interesting features such as the low ransom amount (~$90 USD) it asked users to make payment of and the usage of a UAC bypass for enabling the ransomware program to execute at elevated privileges without showing a UAC prompt.

Erebus Ransomware Hijacks the MSC File Association To Execute a UAC Bypass

At the instant of time when the installer for Erebus is executed, the threat makes usage of a UAC bypass (i.e., User Account Control) method for prohibiting users from being prompted to enable the application to execute at higher privileges. The infection basically did it via copying itself to a random named file in the same folder. Following this, modification is brought up in the Windows registry for hijacking the association for the .msc file extension. This is done for the purpose of launching the ransom named Erebus implemented instead.

Further then, Erebus Ransomware open up the eventvwr.msc file by running the eventvwr.exe. This results in the launching of Erebus Ransomware along with the ransom named Erebus executable Event Viewer. Now since the Event Viewer executes in a elevated mode, thus the Erebus Ransomware executable get launched with the same sort of privileges. This enables the threat to bypass the User Account Control.

Working Algorithm Of Erebus Ransomware

Erebus Ransomware upon being executed onto the system, establishes connection with the http://ipecho.net/plain and http://ipinfo.io/country for determining the exact victim’s IP address and country they are located in. Following this a TOR client is downloaded and then utilized for establishing connection with the site’s Command & Control server.

Ransomware then after performs a deep scanning of the victimized PC in search of the files compatible to it’s corruption. Later on after finding such files encrypts them via AES algorithm .

The list of the files compatible to the threat’s encryption are :


The infection meanwhile carrying out the encryption operation, appends .msj extension to the files being encrypted. Along with this, it during the process also deletes the Windows Volume Shadow Copies in order to stop from being utilized in future regarding file recovery.

The command implemented to clear the shadow copies is :

Erebus Ransomware following the completion of the entire encryption procedure, generates a ransom note on the desktop namely README.HTML. This note has been reported including a list of the encrypted files, a button for taking the users to the TOR payment site and a unique ID for enabling the users to login to the payment site

Aside from note, the infection also generates a message box on the Windows desktop alerting the victims that their files have been encrypted.

Now whensoever the victim tap the Recover my files button, they are brought up to the Erebus’ TOR payment site which include payment instructions. At this instant of time, ransom amount of .085 Bitcoins (i.e., $90 USD) is asked to pay.

Although all the released messages and notes appears 100% authentic at first glance, but yet it is strongly suggested not to trust them since researches have proven that in reality they are not more than just a scam designed by cyber crooks to extort more and more illegal profit from innocent PC users. Thus, one should only concentrate on the permanent removal of Erebus Ransomware from the PC.

Leave a Comment

Your email address will not be published. Required fields are marked *