Ransom.Win32.ERIS.C

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information. It deletes itself after execution.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• taskkill.exe /f /im mysqld.exe
• taskkill.exe /f /im sqlwriter.exe
• taskkill.exe /f /im sqlserver.exe
• taskkill.exe /f /im MSExchange*
• taskkill.exe /f /im Microsoft.Exchange.*

Process Termination

This Ransomware terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• sql
• backup
• malware
• server
• agent
• http
• apache

Dropping Routine

This Ransomware drops the following files:

• %ProgramData%\00000000.pky → contains public key
• %ProgramData%\00000000.eky → contains encryption key
• %ProgramData%\00000000.ext → contains file extension of encrypted files

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

Other Details

This Ransomware connects to the following URL(s) to get the affected system's IP address:

• http://extreme-ip{BLOCKED}.com/json

It connects to the following website to send and receive information:

• http://{BLOCKED}wzczbcbi4edpi4tx3khwbnty3obfhemd5i5gbyci3hxx3k5pad.{BLOCKED}n.pet/api/v1/check
• http://{BLOCKED}wzczbcbi4edpi4tx3khwbnty3obfhemd5i5gbyci3hxx3k5pad.{BLOCKED}n.pet/api/v1/sync

It does the following:

• It deletes the shadow volume copies and disables system recovery using the following commands:
  • vssadmin delete shadows /all /quiet
  • wmic shadowcopy delete
  • wbadmin delete catalog -quiet
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures
  • bcdedit /set {default} recoveryenabled no
• It wipes deleted files from encrypted drives using the following command:
  • cipher /W:{Encrypted Drive Letter}:

It deletes itself after execution.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• .sys
• .com
• autoexec.bat
• boot.ini
• ntdetect.com
• msdos.sys
• io.sys
• pagefile.sys
• ntuser.dat
• config.sys
• ntldr

It avoids encrypting files found in the following folders:

• windows
• windows.old
• system volume information
• $recycle.bin
• program files
• program files (x86)
• programdata
• i386
• amd64
• sysvol

It appends the following extension to the file name of the encrypted files:

• .{5 random characters}

It leaves text files that serve as ransom notes containing the following text:

• {Encrypted Directory}\HELP-{5 random characters}.txt