RANSOM_EREBUS.TOR
Ransom.CryptXXX (NORTON); Ransom:Win32/Erebus.A!rsm (MICROSOFT); Troj/Ransom-EGM (SOPHOS_LITE)
Windows
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Ransomware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It encrypts files with specific file extensions.
TECHNICAL DETAILS
1,249,280 bytes
EXE
07 Feb 2017
Arrival Details
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Ransomware drops a copy of itself in the following folders using different file names:
- {path where the initial copy was executed}\{random string}.exe
Other System Modifications
This Ransomware adds the following registry entries:
HKEY_CURRENT_USER\Software\Classes\
mscfile\shell\open\
command
(Default) = {path where the initial copy was executed}\{random string}.exe
Other Details
This Ransomware connects to the following possibly malicious URL:
- http://{BLOCKED}5743lnq6db.onion
Ransomware Routine
This Ransomware encrypts files with the following extensions:
- .3fr
- .accdb
- .arw
- .bay
- .cdr
- .cer
- .cr2
- .crt
- .crw
- .dbf
- .dcr
- .der
- .dng
- .doc
- .docm
- .docx
- .dwg
- .dxf
- .dxg
- .eps
- .erf
- .indd
- .jpe
- .jpg
- .kdc
- .mdb
- .mdf
- .mef
- .mp3
- .mp4
- .mrw
- .nef
- .nrw
- .odb
- .odm
- .odp
- .ods
- .odt
- .orf
- .p7b
- .p7c
- .p12
- .pdd
- .pef
- .pem
- .pfx
- .png
- .ppt
- .pptm
- .pptx
- .psd
- .pst
- .ptx
- .r3d
- .raf
- .raw
- .rtf
- .rwl
- .srf
- .srw
- .txt
- .wb2
- .wpd
- .wps
- .xlk
- .xls
- .xlsb
- .xlsm
- .xlsx
It appends the following extension to the file name of the encrypted files:
- .waw
- .ps3
- .msj
- .sqj
- .grf
- .aov
- .ssw
- .pge
- .uwi