Erebus Ransomware
June 21, 2017
Saad Omar (28 articles)
Share

Erebus Ransomware

NAYANA, a South Korean web hosting company, was recently attacked by a ransomware dubbed Erebus which took down 143 Linux servers and 3480 websites across the globe. A large price of 10 bitcoins was asked but it got reduced to 5.4 bitcoins thank to a request by NAYANA’s technology head.

The Erebus ransomware executes at administrative privileges by bypassing the UAC (User Account Control). This is done by abusing the Event Viewer which already runs at elevated privileges so that it runs Erebus with the same privileges. After that, Erebus copies itself to a randomly named file and changes the Registry of Windows in order to hijack .msc files allowing Erebus to take its place and execute by itself.

Source: Cybersecurity Insiders