Home / malware

PDF

Ransom:Linux/Erebus.A

First posted on 27 June 2017.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Linux/Erebus.A.

Explanation :

Installation

This threat runs on Linux system and drops the following files for instruction to decrypt the files. Files are dropped in the same directory.

_DECRYPT_FILE.txt
_DECRYPT_FILE.html

Payload

Encrypts files and asks for ransom

This threat searches for and encrypts files (encryption is in RSA) with the following file name extensions:

aac cdx dwg kdc nsd pmm save vdi ab4 ce1 dxb key nsf pmo say vhd abd ce2 dxf kpdx nsg pmr sd0 vhdx accdb cer dxg kwm nsh pnc sda vmdk accde cfg edb laccdb nvram pnd sdb vmsd accdr cfn eml lck nwb png sdf vmx accdt cgm eps ldf nx2 pnx sh vmxf ach cib erbsql lit nxl pot sldm vob acr class erf lock nyf potm sldx wab act cls exf log oab potx sql wad adb cmt fdb lua obj ppam sqlite wallet adp config ffd lz odb pps sqlite3 war ads contact fff lz4 odc ppsm sqlitedb wav agdl cpi fh lzma odf ppsm sqlite-shm wb2 ai cpp fhd m odg ppsx sqlite-wal wma aiff cr2 fla m2ts odm ppt sr2 wmf ait craw flac m3u odp pptm srb wmv al crt flb m4p ods pptm srf wpd aoi crw flf m4v odt pptx srs wps apj cs flv mab ogg prf srt x11 arw csh flvv mapimail oil ps srw x3f ascx csl fpx max omg psafe3 st4 xis asf css fxg mbx orf psd st5 xla asm csv gif md ost pspimage st6 xlam asp dac gray mdb otg pst st7 xlk aspx dat grey mdc oth ptx st8 xlm asx db groups mdf otp pwm stc xlr atb db_journal gry mef ots py std xls avi db3 gz mfw ott qba sti xlsb awg dbf h mid p12 qbb stm xlsm back dbx hbk mkv p7b qbm stw xlsx backup dc2 hdd mlb p7c qbr stx xlt backupdb dcr hpp mmw pab qbw svg xltm bak dcs html mny pages qbx swf xltx bank ddd ibank moneywell pas qby sxc xlw bay ddoc ibd mos pat qcow sxd xml bdb ddrw ibz mov pbf qcow2 sxg ycbcra bgt dds idx mp3 pcd qed sxi yuv bik def iif mp4 pct qtb sxm zip bin der iiq mpeg pdb r3d sxw bkp des incpas mpg pdd raf tar blend design indd mrw pdf rar taz bmp dgc info msf pef rat tbb bpw dit info_ msg pem raw tbn bz djvu ini myd pfx rdb tbz bz2 dng jar nd php rm tex

Then, the ransomware adds the extension .ecrypt to the encrypted files.

Here is a sample message on the ransom note:

Warning!! Your documents, photos, databases, important files have been encrypted!
If you modify any file, it may cause make you cannot decrypt!!!
To decrypt your files please visit the following website:
If the above address will be unable to open or very slow, follow these steps:
1. Download and install the tor browser.
2. After successful installation, run the browser, waiting to initialize.
3. In the address bar enter:
Machine ID:
Offline ID:

Connects to a remote host

We have seen this ransomware connect to a remote for more instructions from malicious perpetrators:

• 216.126.224.128
• Tor payment sites:
• 7fv4vg4n26cxleel.gbe0.top
• 7fv4vg4n26cxleel.hiddenservice.net
• 7fv4vg4n26cxleel.onion
• 7fv4vg4n26cxleel.onion.nu
• fv4vg4n26cxleel.onion.to
• qzjordhlw5mqhcn7.gbe0.top
• qzjordhlw5mqhcn7.hiddenservice.net
• qzjordhlw5mqhcn7.onion
• qzjordhlw5mqhcn7.onion.to
• qzjordhlw5mqhcn7.onion.nu
  
  

Analysis by:

Francis Tan Seng

Last update 27 June 2017

 

TOP