Erebus Ransomware Removal Guide

Do you know what Erebus Ransomware is?

Erebus Ransomware will make your files unusable if it ever enters your computer. Even though this computer infection was detected roughly 4 months ago, it has already encrypted files on hundreds of different computers and will continue doing that in the future. It targets the most valuable data, e.g. pictures, documents, program data, movies, music files, and a bunch of other files. Luckily, not all files stored on the system are encrypted. Erebus Ransomware has no intention of ruining your Windows OS, so it will leave system files and files in particular directories, e.g. C:\drivers, %Windows%, %Program Files%, %AppDataLocal%, and C:\$recycle.bin unencrypted. This activity is performed so that it could then sell the decryptor to users and thus get money from them. To make sure that it is extremely hard to crack the private key set, Erebus Ransomware uses the RSA-2048 encryption algorithm, which is known to be one of the strongest ciphers. Evidently, this infection seeks to make all users pay money. Better go to uninstall Erebus Ransomware from your PC rather than pay money. We will tell you why it is such a bad idea to transfer money to cyber criminals and what other ways to decrypt files without the special decryption tool are in this article.

Erebus Ransomware is not as sophisticated as similar threats, e.g. Spora Ransomware, Cryptorium Ransomware or Crypt.Locker Ransomware, but it can still cause much harm because it is capable of encrypting users’ personal files just like more popular ransomware-type infections. As has already been told in the first paragraph, our research team has found out that this threat can encrypt all kinds of files, except those that belong to the Windows OS or are placed in certain directories. All files, no matter what their original extensions are, receive a new extension .encrypt. On top of that, names of these encrypted files are changed. As a consequence, users cannot recognize their files, e.g. picture.jpg becomes abvnefdkk5r53a.encrypt. It does that to obtain money from users. Actually, Erebus Ransomware deletes Shadow copies of files for the same reason too – it seeks to make it impossible to decrypt files without the special key. Do not transfer money to cyber criminals even though it might seem that it is the only way to get files back because it might be possible to recover files in a different way. For example, users can easily recover their files after the removal of this infection if they have copies of their files outside their PCs. Also, security specialists might develop a free tool for decrypting files encrypted by Erebus Ransomware too one day, so do not rush to pay money. Unlike other ransomware infections, this threat does not tell the exact amount of money that has to be transferred for the decryption tool at first, but it is definitely not cheap, we can assure you.

In order to stay active even after the system restart, the ransomware infection makes several modifications in the system registry right after it enters the computer. More specifically, it creates a Value (GoogleChromeAutoLaunch_[RandomSymbols]) in the Run registry key. After the successful infiltration of this computer infection, you will also find three new files in the Startup directory and three new files in %APPDATA%. Unfortunately, this shows that it will not be very easy to get rid of this infection since all these files will have to be deleted one by one and changes applied in the system registry undone. As can be seen, ransomware might become a real headache, so users should do all it takes to protect their PCs from the entrance of file-encrypting malware. The easiest way to protect the system is, of course, to install a security application and keep it there enabled.

Erebus Ransomware should be erased from the system as soon as possible even though this will not be an easy process. If you let it stay, it will continue working in the background and might encrypt new files created. On top of that, it might help other dangerous malicious applications to enter your computer as well. Below you will find instructions that will help you to get rid of this computer infection but keep in mind that you can also erase this threat automatically as well.

Delete Erebus Ransomware

  1. Press Win+R to launch Run and then type regedit in its box. Click OK.
  2. Open HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
  3. Locate its Value GoogleChromeAutoLaunch_[RandomSymbols], right-click on it, and then select Delete.
  4. Close the Registry Editor and then open the Windows Explorer (Win+E).
  5. Delete two .conf files and one .rest file having random names from %APPDATA%.
  6. Delete DECRYPT.txt, YOUR_FILES_HAS_BEEN_ENCRYPTED.html, and YOUR_FILES_HAS_BEEN_ENCRYPTED.txt from directories listed below:
  • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  • %ALLUSERSPROFILE%\Start Menu\Programs\Startup

In non-techie terms:

If Erebus Ransomware has been erased manually, it would be smart to launch an automatic scanner and perform the full system scan to check whether this infection has been really fully removed. An automatic tool will also find other computer infections, if there are any, on your PC. You could then delete all of them from the system manually or with the help of an automatic malware remover to make it perfectly clean.