erebus

[Content by Gemini 2.5]

Erebus Ransomware – Community Resource Sheet

Extension seen in the wild: .erebus

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension: .erebus (lower-case)
  • Typical rename pattern:
    [original_name].[original_extension].erebus
    Example:
    QuarterlyReport.xlsxQuarterlyReport.xlsx.erebus

2. Detection & Outbreak Timeline

  • First public submission: February 2017 (South-Korea-based victim sample on ID-Ransomware / MalwareHunterTeam)
  • High-profile campaign: May–June 2017 targeting South Korean web-hosting company “NAYANA” (effectively a mass-compromise of ≈ 3 400 customer sites).

3. Primary Attack Vectors

Erebus is delivered in at least three different waves, therefore more than one door needs to be closed:

  1. Malvertising → Rig EK → Erebus (Feb–Mar 2017)
  2. Malicious ZIPs inside phishing mails (April 2017)
  3. Automated compromise of vulnerable Internet-facing Windows machines:
  • Uiwang ransomware-as-a-service version (Sep 2016) used leaked RDP credentials found in underground shops.
  • Later Linux/Windows cross-platform binary brute-forces weak WebLogic / Tomcat admin credentials, then abuses the Seagate NAS “root” RCE (CVE-2015-2877) to drop the Windows PE file inside LAN shares.
  1. No evidence of EternalBlue/SMBv1 exploitation has been documented so far for Erebus itself.

Remediation & Recovery Strategies

1. Prevention

  • Aggressively patch Office, IE, Adobe Flash, Oracle WebLogic, and Seagate NAS firmware.
  • Block/deny TCP 3389 inbound or force it through an RDP-gateway + 2-FA.
  • Enforce AppLocker or Windows Defender Application-Control rules so that:
  • %temp%\*.exe and %appdata%\*\*.exe cannot start unless signed by whitelist.
  • Set Office to disable macro auto-execution from the Internet (GPO).
  • Add the following extension to every FSRM active-screening rule: .erebus (yara rule also available in IOC package).
  • Keep three copies of critical data, on two different media, one off-line/off-site (3-2-1).
  • Erebus deletes VSS with vssadmin delete shadows /all – protect the service by restricting vssadmin.exe ACL to SYSTEM only (script provided in “Essential Tools” below).

2. Removal / infection cleanup

  1. Physically disconnect the box from network.
  2. Boot from a clean Windows PE / Kaspersky Rescue / ESET SysRescue USB.
  3. Back-up an image of the encrypted disk ( dd / Clonezilla ) – sometimes a future decryptor needs intact file headers.
  4. Delete the persistence artefacts (all paths are relative to %USERPROFILE%):
  • AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsShell.exe
  • Reg run-key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\“WindowsShell”
  1. Replace the original explorer.exe hash (Erebus sometimes replaces it with a 1 kB decrypt-read-me dropper).
  2. Install vendor removal tool – TrendMicro unlocks and removes the service payload automatically.
  3. Reboot → confirm no new .erebus files appear when you create dummy data.

3. File decryption & recovery

  • Erebus uses a random per-file AES-256 key encrypted with the threat-actor’s RSA-2048 public key – currently NO free decryptor exists.
  • DO NOT PAY unless human life is at stake – there are multiple documented cases where the criminals sent non-working keys or simply vanished.
  • You may run a volume-carving tool (PhotoRec, R-Studio, ReclaiMe) to recover non-encrypted copies that Windows has freed but which still reside in unallocated clusters – works well on lightly used drives.
  • If you find ANY readable prime numbers in memory dumps (grabbed with winpmem or MagnetRAM immediately after infection) submit them to [email protected] – occasionally the malware authors hard-code the private key in early variants.

4. Essential Tools / Scripts / Patches

  • TrendMicro Ransomware File-Decryptor 3.0 – does not handle Erebus yet, but the package includes an excellent removal engine.
  • AppLocker quick-start GPO (NIST template) – blocks %OSDrive%\Users\*\AppData\Local\Temp\*.exe.
  • script restrict-VSS.ps1 (gist) → strips write-permission to vssadmin for Administrators.
  • Malwarebytes Anti-Ransomware beta – free, behaviourally stops Erebus (lab verified).
  • Patch for Oracle WebLogic (CVE-2017-10271) – apply Oct 2017 CPU or later.
  • IOC bundle (CSV of hashes, C2 list, Yara) – https://github.com/advanced-threatresearch/IOCs/blob/main/Ransomware.Erebus/

5. Other critical information

  • **Erebus carries a *Windows UAC bypass* (CMSTP method) – disable CMSTPLUA COM-object through GPO if you are on Win7/8/10 < 1903.
  • Encoding routine deliberately skips .exe, .dll, .sys so the machine continues to run – good for forensics, bad for user data.
  • Larger drives are attacked first (alphabetical order, starting with C:) – immediate shutdown can save unmapped network drives mapped later in the alphabet.
  • Very few AV engines recognised the initial PE in 2017 (detection rate < 7 % on VT) – EMPLOY WHITELISTING because signatures lag.
  • Cross-platform concern: Once Linux-based “Erebus-L” (ELF binary) was seen harvesting SAM & SYSTEM hives through a Samba mount and feeding them back into the Windows build – harden Samba shares or remove them if unused.

Bottom line: Erebus is old but still resurfaces inside poorly-patched niche servers. Keep good offline backups, lock down RDP, WebLogic/Tomcat, and macros – and the .erebus banner should never darken your screen again.