{
	"id": "19e2ee7c-2dbd-47f4-967c-d763de240680",
	"created_at": "2026-04-06T00:06:16.063976Z",
	"updated_at": "2026-04-10T13:12:38.073277Z",
	"deleted_at": null,
	"sha1_hash": "8e148f4c2acd1f7ae933a9eaa15612aa46a2ab98",
	"title": "Erebus Ransomware Utilizes a UAC Bypass and Request a $90 Ransom Payment",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1337249,
	"plain_text": "Erebus Ransomware Utilizes a UAC Bypass and Request a $90 Ransom\r\nPayment\r\nBy Lawrence Abrams\r\nPublished: 2017-02-07 · Archived: 2026-04-05 18:43:14 UTC\r\nA sample of a potentially new ransomware called Erebus has been discovered by MalwareHunterTeam on VirusTotal. I say\r\nthat this is a potentially new ransomware because TrendMicro had reported another ransomware using the same name was\r\npreviously released back in September 2016. Though I do not have a sample of the original Erebus, from its outward\r\ncharacteristics, the one discovered today looks like either a complete rewrite or a new ransomware using the same name..\r\nWhile at this time, it is not currently known how Erebus is being distributed, analysis of the ransomware shows some\r\ninteresting features. The first, and most noticeable features, is the low ransom amount of ~$90 USD being requested by the\r\nransomware. Another interesting features is its use of a UAC bypass that allows the ransomware to run at elevated privileges\r\nwithout displaying a UAC prompt.\r\nErebus performs a UAC Bypass by Hijacking the MSC File Association\r\nWhen the installer for Erebus is executed, it will also utilize a User Account Control (UAC) bypass method so that victim's\r\nwill not be prompted to allow the program to run at higher privileges. It does this by copying itself to a random named file in\r\nthe same folder. It will then modify the Windows registry in order to hijack the association for the .msc file extension so that\r\nit will launch the random named Erebus executed instead.\r\nThe hijacked keys are shown below.\r\nhttps://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nHKEY_CLASSES_ROOT\\.msc\r\nHKCU\\Software\\Classes\\mscfile\r\nHKCU\\Software\\Classes\\mscfile\\shell\r\nHKCU\\Software\\Classes\\mscfile\\shell\\open\r\nHKCU\\Software\\Classes\\mscfile\\shell\\open\\command\r\nHKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\ %UserProfile%\\[random].exe\r\nErebus will then execute eventvwr.exe (Event Viewer), which in turn will automatically open the eventvwr.msc file. As the\r\n.msc file is no longer associated with mmc.exe, but now with the random named Erebus executable, Event Viewer will\r\nlaunch Erebus instead. As Event Viewer runs in a elevated mode, the launched Erebus executable will also launch with the\r\nsame privileges. This allows it to bypass User Account Control.\r\nA big thanks to MalwareHunterTeam for pointing out the article that describes this bypass.\r\nHow Erebus Encrypts a Computer\r\nWhen Erebus is executed it will connect to http://ipecho.net/plain and http://ipinfo.io/country in order to determine the\r\nvictim's IP address and country that they are located in.  It will then download a TOR client and use it to connect to the site's\r\nCommand \u0026 Control server.\r\nErebus will then begin to scan the victim's computer and search for certain file types. When it detects a targeted file type, it\r\nwill encrypt the file using AES encryption. The current list of targeted files are:\r\n.accdb, .arw, .bay, .cdr, .cer, .crt, .crw, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .in\r\nWhen Erebus encrypts a file, it will encrypt the extension using ROT-23. For example, a file called test.jpg would be\r\nencrypted and renamed as test.msj. \r\nEncrypted Files\r\nDuring this process, Erebus will also clear the Windows Volume Shadow Copies so that they cannot be used to recover files.\r\nThe command executed to clear the shadow copies is:\r\ncmd.exe /C vssadmin delete shadows /all /quiet \u0026\u0026 exit\r\nhttps://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/\r\nPage 3 of 7\n\nWhen it has finished encrypting the computer, it will display the ransom note located on the Desktop called\r\nREADME.HTML. This ransom note will contain a unique ID that can be used to login to the payment site, a list of\r\nencrypted files, and a button that takes you to the TOR payment site.\r\nErebus Ransomware Ransom Note\r\nErebus will also display a message box on the Windows desktop alerting the victim that their files are encrypted.\r\nMessage Box Alert\r\nWhen a victim clicks on the Recover my files button, they will be brought to Erebus' TOR payment site where they can get\r\npayment instructions. At this time the ransom amount is set to .085 bitcoins, which is approximately $90 USD.\r\nhttps://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/\r\nPage 4 of 7\n\nEerebus Ransomware Payment Site\r\nUnfortunately, at this time there is no way to decrypt files encrypted by Erebus for free. For those who wish to discuss this\r\nransomware or receive support, you can use our dedicated help topic: Erebus Ransomware Support \u0026 Help Topic.\r\n \r\nAssociated Erebus Ransomware Files:\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Data\\\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Data\\Tor\\\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Data\\Tor\\geoip\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Data\\Tor\\geoip6\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\libeay32.dll\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\libevent-2-0-5.dll\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\libevent_core-2-0-5.dll\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\libevent_extra-2-0-5.dll\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\libgcc_s_sjlj-1.dll\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\libssp-0.dll\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\ssleay32.dll\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\tor-gencert.exe\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\tor.exe\r\n%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\zlib1.dll\r\n%UserProfile%\\AppData\\Local\\Temp\\tor.zip\r\n%UserProfile%\\AppData\\Roaming\\tor\\\r\n%UserProfile%\\AppData\\Roaming\\tor\\cached-certs\r\nhttps://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/\r\nPage 5 of 7\n\n%UserProfile%\\AppData\\Roaming\\tor\\cached-microdesc-consensus\r\n%UserProfile%\\AppData\\Roaming\\tor\\cached-microdescs.new\r\n%UserProfile%\\AppData\\Roaming\\tor\\lock\r\n%UserProfile%\\AppData\\Roaming\\tor\\state\r\n%UserProfile%\\Desktop\\test\\xor-test.pdf\r\n%UserProfile%\\Desktop\\README.html\r\n%UserProfile%\\Documents\\README.html\r\n%UserProfile%\\[random].exe\r\nRegistry entries associated with the Erebus Ransomware\r\nHKEY_CLASSES_ROOT\\.msc\r\nHKCU\\Software\\Classes\\mscfile\r\nHKCU\\Software\\Classes\\mscfile\\shell\r\nHKCU\\Software\\Classes\\mscfile\\shell\\open\r\nHKCU\\Software\\Classes\\mscfile\\shell\\open\\command\r\nHKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\ %UserProfile%\\[random].exe\r\nNetwork Communication:\r\nhttp://erebus5743lnq6db.onion/\r\nHashes:\r\nSHA256: ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791\r\nMessage Box Alert Text:\r\nFiles crypted!\r\nEvery important file on this computer was crypted. Please look on your documents or desktop folder for a file called READM\r\nRansom Note Text:\r\nData crypted\r\nEvery important file (documents,photos,videos etc) on this computer has been encrypted using an unique key for this comput\r\nIt is impossible to recover your files without this key. You can try to open them they won't work and will stay that way.\r\nThat is, unless you buy a decryption key and decrypt your files.\r\nClick 'recover my files' below to go to the website allowing you to buy the key.\r\nFrom now on you have 96 hours to recover the key after this time it will be deleted and your files will stay unusable fore\r\nYour id is : '[id]' you can find this page on your desktop and document folder Use it to\r\nif the button below doesn't work you need to download a web browser called 'tor browser'\r\ndownload by clicking here then install the browser, it's like chrome, firefox or internet explorer except it allows you to\r\nonce it's launched browse to http://erebus5743lnq6db.onion\r\nhttps://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/\r\nhttps://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/"
	],
	"report_names": [
		"erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment"
	],
	"threat_actors": [],
	"ts_created_at": 1775433976,
	"ts_updated_at": 1775826758,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e148f4c2acd1f7ae933a9eaa15612aa46a2ab98.pdf",
		"text": "https://archive.orkl.eu/8e148f4c2acd1f7ae933a9eaa15612aa46a2ab98.txt",
		"img": "https://archive.orkl.eu/8e148f4c2acd1f7ae933a9eaa15612aa46a2ab98.jpg"
	}
}