ERIS ransomware (Free Instructions) - Decryption Steps Included
ERIS virus Removal Guide
What is ERIS ransomware?
ERIS ransomware is the virus that encrypts data while using Salsa20 and RSA algorithms and requires ransom from victims
ERIS ransomware virus is a threat that demands ransom for locked files on the PC.
ERIS ransomware is cryptovirus that focuses on locking files on the infected machine, so there is a reason for ransom demands. Unfortunately, this malware is created by cybercriminals and the decryption, in most cases, is only a lie used to lure people. You may be especially concerned about your encoded data, but paying the $825 for these people can lead to even more severe damage to your device or data and permanent loss of money.[1]
What makes this cryptovirus more dangerous is the distribution technique because many sources reported that this particular ransomware is recently distributed via RIG exploit kit and other malvertising campaigns.[2] Victims have no idea when and how the ransomware got on the system because the installation happens without their knowledge by visiting a malicious website and triggering the payload dropper.
Name | ERIS ransomware |
---|---|
Type | Cryptovirus |
File marker | .ERIS |
Distribution | Spam email attachments, infected files, malvertising campaigns, exploit kits |
Ransom amount | $825 in Bitcoin |
Ransom note | @ READ ME TO RECOVER FILES @ .txt |
Malicious files | Server.exe; dev_man.exe; eris.was; l.bat ; 00000000.pky; 00000000.eky |
Contact emails | limaooo@cock.li; Limaooo@cock.li |
Elimination | Get a reliable anti-malware tool and remove ERIS ransomware from the machine |
ERIS ransomware is the virus created to demand payments from people, so the initial process of file encryption happens immediately after the infiltration. Criminals also perform other alterations and make much more changes to ensure the persistence of the malware later on.
This is the virus that gets the name from the file extensions .ERIS that gets placed on every file encrypted by the threat. Once you notice this modification and the ransom note appears on the desktop, ERIS ransomware virus has already infected your device and altered more parts of the whole system than those documents, photos or video files which become useless and locked.
ERIS ransomware relies on Salsa20 and RSA encryption algorithms and encodes users' photos, documents, images, video files, and even archives that can be found on the machine. When all those personal files get locked, the virus delivers a ransom message in the file @ READ ME TO RECOVER FILES @ .txt.
When ERIS ransomware marks files with .ERIS appendix and demands victims to pay up, the only solution seems to be paying the ransom. It was also reported that the virus adds the “_FLAG_ENCRYPTED_” file marker at the end of every file affected. However, these people cannot be trusted since they have the only goal of profiting from people.
Initially, this virus was spotted back in May 2019, but the start of July showed that this ransomware is more dangerous than everyone may be thinking when the newest campaign started to use RIG exploit kit to deliver the virus. Stay away from contacting these people and clean the system as soon as possible.
ERIS ransomware is the cryptovirus that asks for $825 in Bitcoin for the alleged decryption.
As mentioned before, ERIS ransomware does more than just encrypting files, all the system changes include installing programs, adding malicious files, and alerting crucial settings on the affected computer. For example, the virus adds new or alters existing Windows Registry Keys to run the processes continuously after each system reboot.
ERIS ransomware can also launch other processes in the background, or even infect the machine with additional malware, drop secondary payloads. Your device may get affected and even damaged if you let this threat run on the system for a while.
Make sure to remove ERIS ransomware as soon as possible, react to the suspicious activity immediately, and get the anti-malware tool that can detect such threat and remove all the associated files or programs. Running a full scan on the machine indicates all the virus damage and malicious files that can, later on, get terminated using the same antivirus program.
Make sure to focus on ERIS ransomware removal first, then worry about the file recovery. There is no possibility to restore encoded data for free because the official decryption tool hasn't been released. However, paying is also not the best solution. Install anti-malware, clean the machine fully with FortectIntego and then rely on data backups for file recovery.
ERIS ransomware is the product from cybercriminals who offer to decrypt your files for $825. Never trust people behind such malware or scams.
Ransomware uses system vulnerabilities and infected files to get on the system
The primary method of the ransomware payload dropping are spam email attachments and other malware, but more and more criminals rely on exploit kits and not so common delivery techniques. Since the first campaigns, this threat was delivered via legitimate-looking emails and files filled with macros, but later on, researcers[3] spotted new methods.
The later attacks were analyzed, and those investigations revealed that the RIG exploit kit was used to drop ransomware during malvertising campaigns. The pop-up redirect shows up to expose users to the exploit kit and web requests triggered after that automatically downloads and installs the virus on the machine. It happens in the background, and the victim only notices the encryption and other system modifications.
Since this exploit kit uses vulnerabilities and specific weaknesses on the machines, you should patch any flaws as soon as possible to avoid cush infiltrations or even more dangerous malware campaigns. Also, paying attention to emails you receive can help you prevent ransomware infiltrations. Make sure to delete suspicious content from the email box before opening and never download questionable files.
Get rid of the ERIS ransomware cryptovirus and make sure to clean the system completely
When it comes to threats like ransomware and other more damaging cyber threats, it is essential to clean the machine entirely. As we mentioned the primary payload of the cryptovirus comes as a malicious file and gets dropped without your knowledge, To remove ERIS ransomware entirely, you need to eliminate those associated files and other possibly installed programs.
You cannot do that manually because data gets hidden in various system folders and other places on the device. Go for automatic ERIS ransomware removal and use FortectIntego, SpyHunter 5Combo Cleaner, or Malwarebytes for the thorough system scanning and malware damage elimination process.
There is no way to decrypt ERIS ransomware virus affected files for free, but paying not an option too. So rely on virus termination and then try to recover data with proper tools or use backed-up data from external devices or cloud services. We have a few methods and tools listed below.
Getting rid of ERIS virus. Follow these steps
Manual removal using Safe Mode
ERIS ransomware elimination can be easier if you reboot the machine in Safe Mode with Networking
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove ERIS using System Restore
Try System Restore feature as an alternative virus termination method and remove ERIS ransomware by restoring the machine in a previous state
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of ERIS. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove ERIS from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by ERIS, you can use several methods to restore them:
Data Recovery Pro is the alternate method for file recovery when the user has no file backups
You can rely on Data Recovery Pro when you accidentally deleted files yourself or malware like ERIS ransomware encrypted them
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by ERIS ransomware;
- Restore them.
Windows Previous Versions is the feature capable of restoring data
When you don't have file backups, but you enabled System Restore for the ERIS ransomware removal, you can restore data with Windows Previous Versions
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer is the alternative method for file restoring purposes
When Shadow Volume Copies are left untouched, you can use ShadowExplorer
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Decryption is not possible for ERIS ransomware
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from ERIS and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.
- ^ Larry Dignan. Ransomware attacks: Why and when it makes sense to pay the ransom. ZDNet. Technology news.
- ^ David Bisson. Malvertising Campaign Redirects to RIG Exploit Kit, ERIS Ransomware. Securityboulevard. News and analysis.
- ^ Viruset. Viruset. Spyware related news.