The early strains of Erebus targeted Windows systems, whereby a victim’s files would be encrypted and a ransom note would advise the victim on making a payment. Erebus downloads the Tor executable to allow for C2 to a hardcoded onion domain. The Tor instance then allows users to navigate to the payment page.
- Erebus binary is delivered to the victim and executed, either via user-interaction (social engineering) or via remote code execution exploit vectors.
- Erebus binary downloads Tor executable for C2 purposes and encrypts victim files after first utilizing a user account control bypass, thereafter applying a ROT cipher to file extensions.
- Erebus drops a ransom note, explaining the payment process to victims.
The server-side ransomware becomes resident on the victim machine through some vulnerability exploitation or other vector.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Follow internal malware remediation processes.