eris

[Content by Gemini 2.5]

Ransomware Deep-Dive: “eris” (a.k.a. Eris Ransomware, “.eris” strain)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    – “.eris” is appended to every encrypted file. Example: Quarterly_Report.xlsx → Quarterly_Report.xlsx.eris
  • Renaming Convention:
    – No e-mail/ID string is inserted; only the original file name followed by the single secondary extension “.eris”.
    – Files are first copied, encrypted, flushed, then the original is overwritten with random bytes before deletion—minimizing “shadow-copy” residue.

2. Detection & Outbreak Timeline

  • Approximate Start Date / Period:
    – First publicly submitted: 16–18 May 2019 (MalwareHunterTeam, ID-Ransomware).
    – Continued sporadic campaigns through mid-2019; largely displaced by successor strains (Phobos / Dharma family) by Q4-2019.

3. Primary Attack Vectors

  • Phishing e-mails – ISO, IMG or CAB attachments containing compiled AutoIt loaders that drop Eris.
  • Magnitude Exploit Kit (EK) – Observed via compromised ad-servers (late-May 2019).
  • RDP brute-forcing – Dictionary/hydra-style RDP attacks, followed by manual drop of eris.exe.
  • Weak network shares (SMB) – Ad-hoc lateral movement once inside; does not use EternalBlue itself but steals credentials via Mimikatz modules injected by the same loader.

Remediation & Recovery Strategies

1. Prevention

  1. Disable RDP if unused or bruteforce-proof it: 2-FA gateway, Network-Level-Auth, lockout policy (5 attempts, 30 min).
  2. Inspect mail flow for ISO/IMG files; drop via mail-gateway if business-unnecessary.
  3. Application whitelisting / ASR rules (Windows Defender Exploit Guard). Specifically block wscript.exe, cscript.exe, powershell.exe spawning from Office/AutoIt binaries.
  4. Aggressively patch browsers & their add-ins (Flash, Java) – the Magnitude EK the 2019 campaign relied on Flash CVE-2018-15982.
  5. Maintain offline, versioned backups (3-2-1 rule). Eris deletes Volume-Shadow-Copies (vssadmin delete shadows /all).

2. Removal (step-by-step)

A. Power-off all exposed but uninfected machines immediately by triaging the checkout/information e-mail lately—the ransomware sleeps 1–2 min before encryption opens.
B. Boot infected host from clean WinPE or Safe-Mode-with-Networking.
C. Mount the disk as a data-drive to another system OR run Windows Defender Offline / Kaspersky Rescue Disk.
D. Detect & quarantine components (typical hashes change – heuristic names are useful):
%TEMP%\*.bat that empties Recycle-Bin (evidence erasure).
%LOCALAPPDATA%\subfolder\<8-random-hex>\*.exe – the Eris encryptor.
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce entry: value *eris* or random GUID.
E. Remove persistence (Run keys, Scheduled Task that often re-launches the encryptor if a kill-switch fails).
F. Run a full AV/EDR scan (modern signatures: Ransom:Win32/Eris, Trojan.Win32.ERIS, Ransom.ERIS.*).
G. Re-image if root-cred theft suspected (Mimikatz module runs) or leave domain, reset all local/domain passwords, revoke kerberos tickets.

3. File Decryption & Recovery

  • Recovery Feasibility (as of 2024):
    No free decryptor exists. The malware encrypts with AES-256 in CBC mode on a per-file key; that key is encrypted by an embedded RSA-1024 public key. RSA private is stored only with the operators.
    – Paid decryption is technically possible – victims supplying ransom note file ("README.hta") and one encrypted file receive a price (range historically 0.07–0.20 BTC). On paying, attackers return a small decryptor.exe plus the per-victim RSA private key embedded. (Standard BEC-style negotiation advice applies: expect 20-30% discount if >5 k USD, use anonymous email, never expose company name, involve law-enforcement.)
  • Work-around paths without paying:
  1. Look for un-wiped originals in cloud-sync folders (OneDrive/SharePoint history, Google-Drive “Previous versions”).
  2. Carve Local data from hibernation or pagefile.sys copies for databases – some PDF/DB fragments may be rebuilt (low success).
  3. Data-recovery companies use “Rebuild encrypted container” techniques when MFT-only is encrypted – worth evaluating if irreplaceable >25 k USD, but physics of eris deletion pass keeps expectations low.
  • Essential Tools / Patches:
    – Microsoft Security Bulletin for CVE-2018-15982 (Flash) still offered through catalog-only for Win7/8.
    – Official KB4499175 (May-2019 roll-up) added detection signature for Eris trojan component to Windows Defender.
    – “ErisDecryptorTest” – dummy tool used by CERT-PL to verify key validity; NOT public, but analysts may request it via the Ransomware-Task-Force repo.
    – Keep a Hiren’s BootCD WinPE stick with up-to-date portable Malwarebytes and DiskGenius for quick offline cleaning and file carving.

4. Other Critical Information

  • Additional Precautions / Unique Traits:
    – Kill-switch token = C:\recovery.txt – creating that empty file early enough in execution stops encryption loop (found by group-by-group comparison; reliable for 2019 builds, not guaranteed for variants).
    – Drops desktop wallpaper changer with mature branding (“YOUR FILES ARE ENCRYPTED BY ERIS”) and accuses victims of “computer misuse to cover traces”; likely copied from Phobos family, distracting attribution analysis.
    – Uses SDelete-like 3-pass overwrite on originals; cipher /W call removed from Phobos successors – reason some firms mis-identify Eris as “Phobos-RaaS 1.0”.
  • Broader Impact:
    – Largely affected healthcare SMBs and public schools in Central & Eastern Europe (PL, CZ, SK) advertising RDP-block on Shodan.
    – Often co-deployed with Amadey bot & Predator stealer, elevating incident from “ransom-only” to full credential-breach – assume any Eris-hit domain is toast unless 100% password reset & KRBTGT rotation.

Stay patched, keep at least one backup copy physically unplugged, and remember: with eris there is no “silver-bullet” decryptor—preparation beats payment.