Erebus 2017 Ransomware Removal Guide

Do you know what Erebus 2017 Ransomware is?

It is very risky to leave any security backdoors open because there are thousands of cyber criminals who are ready to exploit them. Erebus 2017 Ransomware is one of the newest creations of the devious malware creators, and they are using it to extort money from its victims. Just like Digisom Ransomware, Polski Ransomware, and thousands of other infections alike, this new infection encrypts your files to make it impossible for you to read them. If the threat slithers in and encrypts your files successfully, only its creators have the power to decrypt them. Unfortunately, whether or not they would do that is unknown. All in all, if your files are not backed up, and you want to restore them as soon as possible, following the demands that are represented might be your only option. Having said that, we do not advise paying the ransom fee that cyber criminals urge you to pay. The most important thing is that you delete Erebus 2017 Ransomware.

Do you know how Erebus 2017 Ransomware works? Once it slithers in, it tries to bypass User Account Control (UAC) to ensure that it can run using the privileges of authorized software. Unfortunately, it can even delete Shadow Volume copies using the “cmd.exe /C vssadmin delete shadows /all /quiet && exit” command without your authorization. If these copies are removed, you cannot restore your files even if a system restore point was set up in the past. When it comes to the encryption of your personal files – which may include photos, documents, archives, and other important files – the infection employs the ROT-23 method. Using it, Erebus 2017 Ransomware replaces original files’ extensions with new ones, and that makes your files unreadable. A decryption key might be able to resolve the issue, but we cannot guarantee that, which is one of the reasons we simply cannot suggest paying the ransom. Also, we do not know if cyber criminals would provide you with it even if you fulfilled all of their demands.Erebus 2017 Ransomware Removal GuideErebus 2017 Ransomware screenshot
Scroll down for full removal instructions

The demands of Erebus 2017 Ransomware creators are represented via README.html, a file that is most likely to be found on the Desktop. This file is likely to be copied to every folder that has encrypted files, but its name might be unique in every case. The copies of this ransom note should be named “README1.html,” “README2.html,” and so on. According to the message within these files, you have to download the Tor Browser, visit http://erebus5743lnq6db.onion, and follow the payment instructions. The sample we have tested demanded a payment of 0.11 BTC (~111 USD or 104 EUR), but it is possible that the sum depends on the number of files that Erebus 2017 Ransomware encrypts. Even if you consider the ransom payment small, you should think if paying it is the right move. Maybe your files are backed up, and you do not need to interact with cyber criminals at all? Hopefully, that is the case.

Some users might be able to remove Erebus 2017 Ransomware manually, but this task is risky. The name of the main launcher file is unique in every case, and its location can be unique also. Furthermore, the infection may or may not create new files and registry keys. As you can see, the manual removal of this ransomware is pretty complex. If you are not ready to get rid of this malware yourself, do not worry because anti-malware software can save you. In fact, everyone should consider installing this software because it is also irreplaceable at protecting operating systems once they get cleaned. So, keep this software installed even after you delete Erebus 2017 Ransomware, and you will not need to fear any threats again.

How to delete Erebus 2017 Ransomware

  1. Delete the ransom note file called README.html (found on the Desktop).
  2. Delete the main .exe file (could be located in Temp, Desktop, or Downloads folders).
  3. Simultaneously tap Win+E to launch Explorer.
  4. Enter %UserProfile% into the bar at the top.
  5. Look for a ransom-related file [unique name].exe. If you can identify it, Delete it.
  6. Simultaneously tap Win+R to launch RUN.
  7. Type regedit.exe into the dialog box and click OK to launch Registry Editor.
  8. Move to HKCU\Software\Classes\mscfile\shell\open\command.
  9. Delete the value that is representing the [unique name].exe file in the %UserProfile% directory (note that if the file does not exist, the value will not exist either).
  10. Perform a full system scan to check if leftovers – as well as other infections – exist and await removal.

In non-techie terms:

It is a nightmare when Erebus 2017 Ransomware enters your operating system and encrypts your personal files. If you do not have them backed up on an external drive or online storage, you might be unable to recover them. Although cyber crooks behind the threat offer a decryption key that you can acquire for a certain fee (the ransom), no one knows if this key will be presented to you. Overall, you need to think carefully what to do. Right after that, you need to remove Erebus 2017 Ransomware, and you should not postpone this task for much longer. Considering that other threats might be active, and that your PC is vulnerable, we advise installing anti-malware software as it can erase malware and protect your operating system at the same time. If you want to, you can also refer to the manual guide above.