Erif ransomware is a malicious cyber infection that genealogically belongs to the Djvu ransomware family

Erif ransomware is a file-encrypting virus that has started infecting home PC users[1] at the end of July 2020. Cybersecurity experts were quick to confirm the fact that the virus arises from the well-known Djvu ransomware family. It's the 242nd variant of this infamous cryptomalware, which exhibits more or less the same traits except the novel file extension appended to locked files, which is .erif.
The virus is being most actively distributed via spam email attachments and software license cracks. There's no way to understand that the attachment or software contains a malicious file because the latter is heavily obfuscated and cannot even be recognized by the AV tools. If the payload dropper is successfully launched, the ransomware scatters malicious .exe and .dll files, launches the PowerShell command to delete Volume Shadow Copies, and alters certain Windows Registry keys, and etc.
However, the mentioned changes are rather invisible. The main symptom of the Erif ransomware infection is inaccessible personal files. All pictures, documents, archives, etc. feature the same .erif file extension, which cannot be removed or changed. Apart from locked files, the victims can see the _readme.txt note on the desktop and non-system folders where they are urged to email ransomware owners via helpmanager@mail.ch or restoremanager@airmail.cc. It is clear that the victims are expected to pay $480 ransom in Bitcoins[2] within 72 hours. If later, the price for the decryption key gets doubled. Anyway, Novirus.uk[3] experts do not recommend paying for criminals. Instead, you should rely on alternative .erif decryption methods that we will explain below.
| Name | Erif |
| International classification | Ransomware, a.k.a file-encrypting virus |
| Family | STOP/Djvu ransomware |
| Specificities | Upon infection, the virus drops _readme.txt note for explicit information and locks personal files using the AES-256 encryption algorithm. Consequently, all non-system files get the .erif file marker |
| Contacts | Criminals expect victims to email them via helpmanager@mail.ch or restoremanager@airmail.cc |
| Distribution | Djvu ransomware variants are mainly disseminated via spam email attachments and software cracks. However, it may also be distributed via unprotected RDPs |
| Version | 242nd variant of Djvu |
| Decryption | The newest variants of Djvu cannot be decrypted for free. The only official decryption key is stored by the criminals, which cost $490 or $980 in Bitcoins. Nonetheless, victims are advised not to pay the redemption. Instead of that, remove Erif ransomware and take advantage of Data Recovery Pro, Previous Windows version, or similar alternatives |
| Removal | The only way to get rid of the ransomware is to scan the system with a professional anti-virus program |
| IMPORTANT: | Since ransomware directly harms the system, it's a must to scan the system with FortectIntego repair tool. Otherwise, corrupted Registry entries, altered system files, and other components can trigger abnormal system behavior |
Erif ransomware is an English-speaking users-targeting virus as its ransom note and other information about the attack is in English only. However, it doesn't mean that its dissemination is restricted to countries like the US, UK, Australia, and similar. Since this virus is particularly actively spread via software cracks that can be downloaded from Torrent and P2P networks, which are used by millions of people all across the world, any country can become a target.
This cyber threat affects Windows devices only. Erif virus is not adapted to macOS, Linux, or other OS versions. The most vulnerable Windows version is Windows 7, which no longer receives support. Therefore, existing vulnerabilities can be most easily exploited by criminals.
File-encrypting viruses focus on file encryption and victims' pushing into paying the redemption. Therefore, it's the main task is to alter as many personal files as possible by appending the .erif file marker as a suffix. However, informing the users in a proper manner is not of less importance. Therefore, the pest creates the _readme.txt note on multiple non-system folders, including Downloads, Temp, Documents, User, etc. The text note contains the following information:
ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-7YSRbcuaMa
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.To get this software you need write on our e-mail:
helpmanager@mail.chReserve e-mail address to contact us:
restoremanager@airmail.ccYour personal ID:
This message is one-sided as the criminals employ a social engineering strategy to scare people into thinking that the only solution is ransom payment. However, as soon as the ransom note is found, we encourage victims to make .erif virus file copies and remove the virus from the system using a robust anti-virus program.
After that, optimize the system using FortectIntego repair tool to recover normal Windows performance and then try alternative data recovery methods. Please DO NOT fall for downloading free Djvu decryption software. During the research on how to decrypt Djvu variants like Kuus, Maas, Zida, Usam, and others, people end up on shady download sources that provide a free download for the mentioned decryptor. However, it's yet another trick used by hackers because the free decryptor is the payload of the Zorab ransomware.

Therefore, if you have been infected, do not fall for panic. The first move you have to do is to remove Erif ransomware virus completely. Since it may be rather aggressive and keep its persistence by blocking the security software. However, there's a workaround solution that Windows provides, i.e. Safe Mode, which automatically disables all necessary processes.
Can't open .erif files? Here's what to do next
Many users are confused, and some are even shocked after they encounter ransomware for the first time. Indeed, such experience might be devastating, as some of the most important files stored on the system are no longer accessible. The biggest misconception that inexperienced victims perceive is that they will be able to remove .erif file extension as soon as they perform a full system scan with anti-malware software.
However, it is important to understand that .erif files cannot be recovered with anti-virus software, as it is simply not designed for that. Security software is there to clean your system from the infection and ensure that your personal computer is no longer compromised. Recovering the encrypted data is an entirely separate procedure that one has to undertake when trying to regain access to .erif files.
Since .erif virus files belong to the Djvu malware family, attempts have been made to help victims to recover their files for free. However, keep in mind that the virus uses RSA encryption, so file recovery is possible in rare circumstances. Nonetheless, you should still try those methods and avoid paying criminals (although in some cases it might be the only option left for you).
Before you proceed with the following methods, you should first backup all the files, as they do not hold any malicious code and are safe to use. Next, you should scan the machine with anti-malware and only then attempt the following:
- Make use of the Emsisoft decryption tool, which will only work if your data was encrypted with an offline ID, and somebody else with the same infection paid the ransom, retrieved the key, and shared with Emsisoft.
- Utilize third-party recovery software. For these tools to work, malware needs to fail to delete Shadow Volume Copies, although some applications might be successful in helping you to recover at least some .erif files.
- Built-in Windows resources, such as Previous Versions Feature or System Restore, can sometimes be useful when trying to retrieve ransomware-locked files.
To proceed with these .erif virus files recovery options, please check the bottom section of this article.

Malicious cyber infections take advantage of poor system protection and users' inexperience
It's not possible to recognize malicious files injected into emails, software, fake download, and similar medium. This can be done only by professional anti-virus programs. So the main precautionary measure that you can take is the strongest possible security system. Full-featured security package and regularly updated software should ensure the highest, still not hundred-percent, protection from malicious infections.
Do not forget that the main ransomware dissemination technique is spam. Injected with malicious links and attachments, spam emails can be distributed en masses or targeting specific users. Anyway, it's possible to discern the danger of the email by careful analysis of its sender, main body text, grammar, type, and similar traits. Besides, you can always use the email scan feature that most of the professional AV tools offer.
Another measure that would help to stay away from malicious cyber infections is related to pirated software. Hackers frequently take advantage of cracks and keygens that millions of people keep downloading to avoid paying for the license of software like Windows, Adobe Acrobat, Photoshop, and many others. Unfortunately, there's no way to check the pirated software or its files. Thus, we strongly recommend you to stop using illegal software not only because you infringe the copyright law, but because you risk being infected by a malicious cyber infection.

Delete Erif ransomware along with its malicious files to recover system's performance
Erif virus is activated as soon as the potential victim accidentally enables the payload dropper. As we have already explained, the latter can be disguised within spam email attachments, pirated software, or injected manually by targeted brute-force attacks. Anyway, the damage is as big – personal files locked, the system compromised.
One of the most important things is not to fall for panic. The first thing to perform – a full Erif virus removal using robust anti-virus tools, such as SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. Reboot the system into Safe Mode (the tutorial below) and launch the AV scanner. The scan process may take some time, so be patient and let the software do the trick.
Once the virus is quarantined and removed successfully, we recommend employing a reliable system repair tool and using it for fixing virus damage. It's a tool oriented to Windows optimization, recovery of damaged system files, registry check, and similar tasks. Once you remove Erif virus and recover the system, keep going with the file recovery methods.
Was this guide helpful?
Be the first to comment