10/06/17: Erebus (Windows) Ransomware | Security Bulletin

Threat Summary


The early strains of Erebus targeted Windows systems, whereby a victim’s files would be encrypted and a ransom note would advise the victim on making a payment. Erebus downloads the Tor executable to allow for C2 to a hardcoded onion domain. The Tor instance then allows users to navigate to the payment page.



  1. Erebus binary is delivered to the victim and executed, either via user-interaction (social engineering) or via remote code execution exploit vectors.
  2. Erebus binary downloads Tor executable for C2 purposes and encrypts victim files after first utilizing a user account control bypass, thereafter applying a ROT cipher to file extensions.
  3. Erebus drops a ransom note, explaining the payment process to victims.


Ransomware becomes resident on the victim machine through some vulnerability exploitation or other vector.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Recommendations for Mitigation

Follow internal malware remediation processes.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.