A new ransomware employs a technique to bypass User Account Control (UAC) to elevate privileges, researchers said.
Erebus is the name of the ransomware that leverages a UAC bypass technique which abuses Event Viewer to infect the compromised systems without alerting the user.
The ransomware copies itself to a random named file in the same folder, after which it modifies the Windows registry to hijack the association for the .msc file extension and sets it to launch the randomly named Erebus file instead, said BleepingComputer’s Lawrence Abrams in a post.
After that the ransomware executes eventvwr.exe (Event Viewer), which will automatically open the eventvwr.msc file, which will attempt to execute mmc.exe. Because the .msc file no longer associates with mmc.exe, however, the randomly named Erebus executable launches instead. Because Event Viewer runs in an elevated mode, the executable will run with the same privileges, which allows it to bypass UAC.
When executed, the malware connects to two different domains to determine the victim’s IP address and the country they are in. The malware then downloads a TOR client and uses it to connect to its command and control (C&C) server.
The ransomware then proceeds to scan the victim’s computer and search for certain file types to encrypt using AES encryption. Right now the malware targets 60 file types, including images and documents. Erebus encrypts the file’s extension using ROT-23, Abrams said.
During encryption, the ransomware also clears the Windows Volume Shadow Copies, in an attempt to prevent users from restoring their files this way. As soon as the encryption process wraps up, the malware drops a ransom note on the Desktop under the name of README.HTML, and then displays it. Additionally, Erebus displays a message box on the desktop, alerting the victim their files underwent encryption.
The ransom note contains the user’s unique ID, a list of encrypted files, and a button that takes the victim to the TOR payment site. On that site, users end up getting payment instructions. The requested ransom amount is .085 Bitcoin, or $90.