A newly detected ransomware threat known as ERIS Ransomware that is being distributed via RIG exploit kit. Users can get this ransomware installed on their computer without any consent when the RIG exploit kit attacks the system.
It is found that, the payload of the virus is being spread through malvertising campaigns and drive-by-downloads within infected website. Michael Gillespie was the first to detect the ERIS ransomware in May 2019 when it was submitted to ID Ransomware-a site owned by him.
Malvertising Campaigns were used to spread RIG Exploit Kit
During the week, nao_sec – an exploit kit researcher found it being spread through shady malvertising campaign within compromised website using the RIG exploit kit. The malvertising campaign were using the “popcash ad network” that being used to redirect users to the RIG exploit kit.
Exploit attacks are not new, there cyber-criminals often keep injecting malicious scripts within the compromised websites which upon clicking redirect users to malicious pages that drops RIG Exploit kits.
When user gets redirected to the RIG exploit, it attempts to exploit the vulnerability of Shockwave within the web browser. After successful attempts, the exploit downloads the ERIS Ransomware and install it automatically on the target computer.
A brief About ERIS Ransomware
Once the ERIS Ransomware successfully installs on the computer, it just acts like any typical ransomware threat. It aims to encrypt important data on the victim’s computer system and appends the ‘.ERIS’ extension to the encrypted files.
A file marker of “_FLAG_ENCRYPTED_” is added to the end of each file which denotes that the file is encrypted. After completing the encryption process, the ERIS Ransomware creates a ransom note named as “@ READ ME TO RECOVER FILES @.txt”. According to the note, the authors of the ransomware asks the victim to contact to the authors via Limaooo@cock.li email address for further receiving the payment instructions.
The ransom note contains the following message:
*** *** *** READ THIS FILE CAREFULLY TO RECOVERY YOUR FILES *** *** *** ALL OF YOUR FILES HAVE BEEN ENCRYPTED BY “ERIS RANSOMWARE”! USING STRONG ENCRYPTION ALGORITHM. Every your files encrypted with unique strong key using “Salsa20” encryption algorithm: https://en.wikipedia.org/wiki/Salsa20 Which is protected by RSA-1024 encryption algorithm: https://en.wikipedia.org/wiki/RSA_(cryptosystem) shadow copy, F8 or recuva and other recovery softwares cannot help you, but cause Irreparable damage to your files! Technically no way to restore your files without our help. we only accept cryptocurrency Bitcoin (BTC) as payment method! for cost of decryption service. https://wikipedia.org/wiki/Cryptocurrency https://wikipedia.org/wiki/Bitcoin For speed and easily, please use localbitcoins website to purchase Bitcoin: https://localbitcoins.com * WE OFFER YOU 1 FREE FILE DECRYPTION (<1024 KB) WITHOUT ANY COST! TO TRUST OUR HONESTY BEFORE PAYMENT. THE SIMPLE FILES MUST NOT BE ARCHIVED! * YOUR SPECIAL DECRYPTION PRICE IS $825 IN Bitcoin! -----BEGIN ERIS IDENTIFICATION----- [redacted 0x48A bytes in base64] -----END ERIS IDENTIFICATION----- =========================================================================================================== (Decryption Instructions) 1. Send your "ERIS IDENTIFICATION" with one simple of your encrypted files (<1024 KB) to our email address: firstname.lastname@example.org 2. Wait for reply from us. (usually in some hour) 3. Confirm your simple files are decrypted correct and ask us how to pay to decrypt all your files. 4. We will send you payment instructions in Bitcoin. 5. You made payment and send us TXID of Bitcoin transfer. 6. After we confirm the payment, you will soon get decryption package and everything back to normal. * IN CASE OF FOLLOWING OUR INSTRUCTION, FAST AND EASILY EVERYTHING IS BACK TO NORMAL LIKE THAT NEVER HAPPENED! BUT IF YOU USE OTHER METHODS (THAT NEVER EVER HELPS) YOU JUST DESTROY EVERYTHING FOR GOODNESS! BE A SMART AND SAVE YOUR FILES! NOT A FOOL! =========================================================================================================== =============================== * DO NOT MODIFY ENCRYPTED FILES * DO NOT MOVE ENCRYPTED FILES * DO NOT USE RECOVERY SOFTWARES =============================== ============================================================================================= (Frequently Asked Questions) Q: I can not pay for it, what I do now? A: Format your hard disk, re-install your softwares and start everything from begin! Q: What a guarantee I can recovery my files after payment? A: There is no any reason for us to do not give you decryption software and your special key. The only our goal is help you not hurt! =============================================================================================
The authors also ask the victims to send 1 encrypted file along with the unique ID placed within the ransom note. They will decrypt it for free and then the victim needs to pay the said amount to get the full decryption code to restore the rest of the encrypted files.
Till now the security experts have not released any decryption code for ERIS Ransomware. Thus victims may find it hard for the recovery. But if you have a backup of your files then, you should first copy the ransom note to some other device for future purpose as it is needed for the decryption process.
Next you should not save any important files on the compromised device and try out removing the ransomware using powerful anti-virus tool and try restoring data from backups or recovery tools.
Here are a few links that can help to remove ERIS Ransomware.