Eris Ransomware - How to remove

Eris is a recent ransomware infection which has recently been distributed using exploit kits online. This virus attacks Windows computers and locks user-created files, making them unusable. The criminals behind Eris want to use the situation to lure money out of the victims — this is known as crypto extortion. To be able to use the infected computer again safely, it’s important to remove Eris and plug the security holes which this virus exploited.

Eris hasn’t been found to be related to any existing ransomware families. It was originally discovered in May 2019, but reemerged in July.

Like all file-locking ransomware, Eris sifts through your data and attacks the files which aren’t essential for the operating system. Image, video, audio files, as well as documents, text files, and other data.

A ransom note called @ READ ME TO RECOVER FILES @.txt is placed in the folders next to the Eris-encrypted files. This note tries to convince the victims to contact the extortionists and pay them money. The victims are threatened to not use any alternative methods of file recovery, but remember that Eris is the work of criminals who are looking for a profit.

Here is the long ransom note:

***                                                 ***
*** READ THIS FILE CAREFULLY TO RECOVERY YOUR FILES ***
***                                                 ***

ALL OF YOUR FILES HAVE BEEN ENCRYPTED BY “ERIS RANSOMWARE”!
USING STRONG ENCRYPTION ALGORITHM.

Every your files encrypted with unique strong key using “Salsa20” encryption algorithm:
https://en.wikipedia.org/wiki/Salsa20

Which is protected by RSA-1024 encryption algorithm:
https://en.wikipedia.org/wiki/RSA_(cryptosystem)

shadow copy, F8 or recuva and other recovery softwares cannot help you, but cause Irreparable damage to your files!

Technically no way to restore your files without our help.

we only accept cryptocurrency Bitcoin (BTC) as payment method! for cost of decryption service.
https://wikipedia.org/wiki/Cryptocurrency
https://wikipedia.org/wiki/Bitcoin

For speed and easily, please use localbitcoins website to purchase Bitcoin:
https://localbitcoins.com

* WE OFFER YOU 1 FREE FILE DECRYPTION (<1024 KB) WITHOUT ANY COST! TO TRUST OUR HONESTY BEFORE PAYMENT.

  THE SIMPLE FILE MUST NOT BE ARCHIVED!

—–BEGIN ERIS IDENTIFICATION—–
****
—–END ERIS IDENTIFICATION—–

===============================
===============================

   (Decryption Instructions)

1. Send your “ERIS IDENTIFICATION” with one simple of your encrypted files (<1024 KB) to our email address:
   [email protected]
2. Wait for reply from us.
   (usually in some hour)
3. Confirm your simple files are decrypted correct and ask us how to pay to decrypt all your files.
4. We will send you payment instructions in Bitcoin.
5. You made payment and send us TXID of Bitcoin transfer.
6. After we confirm the payment, you will soon get decryption package and everything back to normal.

* IN CASE OF FOLLOWING OUR INSTRUCTION,
FAST AND EASILY EVERYTHING IS BACK TO NORMAL LIKE THAT NEVER HAPPENED!

  BUT IF YOU USE OTHER METHODS (THAT NEVER EVER HELPS) YOU JUST DESTROY EVERYTHING FOR GOODNESS!

  BE A SMART AND SAVE YOUR FILES! NOT A FOOL!

===============================
===============================

* DO NOT MODIFY ENCRYPTED FILES
* DO NOT MOVE ENCRYPTED FILES
* DO NOT USE RECOVERY SOFTWARES

===============================
===============================

(Frequently Asked Questions)

Q: I can not pay for it, what I do now?
A: Format your hard disk, re-install your softwares and start everything from begin!

Q: What a guarantee I can recovery my files after payment?
A: There is no any reason for us to do not give you decryption software and your special key.

   The only our goal is help you not hurt!

=======================================

How Eris infects computers

Like Matrix, Buran, and Seon, Eris is distributed online with the help of the RIG exploit kit. It’s been reported that some PopCash ads were infected, leading people to a page which would check the browser for a particular security exploit. If the browser is vulnerable, the virus is delivered.

PopCash is legitimate, but it’s among the advertising networks often associated with malicious webpages and programs, like redirect viruses and browser hijackers. Any network is vulnerable to be exploited by intelligent criminals — no review process is perfect. However, different ad-networks have different standards.

An Eris infection is a very unfortunate example of how dangerous malicious advertising can be. Unlike most viruses, this strategy does not require the victim to download and install the virus — only click on an advertisement. Many viruses can be distributed using exploit kits, so this method will likely be used again in the future. Make sure to update your software (your operating system and web browsers, and your antivirus program) to avoid any security holes being exploited by criminals. Refusing security patches puts your computer at unnecessary risk, and criminals constantly evolve their software, so the newest updates should be installed regularly.

If you frequent websites which show lots of aggressive, dishonest ads, pop-up windows and new tabs, and even screen-locking pages, you should definitely set up a backup and update it regularly. It’ll be difficult to avoid viruses when you’re constantly exposed to dangerous ads, but a virus infection doesn’t have to be very destructive. Just make sure that you don’t do any sensitive activities on a machine which could be infected with spyware or trojans to avoid having your passwords being stolen.

Can the files be fixed?

The best way to be safe against ransomware is to have prepared for it beforehand. File backups are essential if you want to be sure that a disk failure, or a file-locking virus will not cost you your data. Unfortunately, not everyone had the idea to set up backups, so let’s take a look at a few other file recovery possibilities.

Ransomware viruses use hybrid encryption to make sure that the files aren’t decrypted without the private decryption key. Hybrid cryptography involves encrypting the files with a fast algorithm and storing the decryption keys on your computer, but encrypting the decryption keys with a very secure (but slow) asymmetric algorithm. So, you have the decryption keys to your files — they’re just locked by Eris. And the necessary decryption key was never stored on your computer because asymmetric cryptography allows separate encryption and decryption keys.

The criminals behind Eris may be correct about independent decryption being impossible, however, they severely overstate the danger of using other methods. They have a reason, of course — they’re trying to discourage people from looking for alternatives to paying the ransom. Generally, it’s safe to move the encrypted files to some separate storage while you wait for a free decryptor and, meanwhile, you can clean the computer and use it again.

If you want to try recovering the files, it’s worth trying out system restore or data recovery. Eris might insist that it won’t work, but there’s no harm in trying. Check the guide below this article. In case it doesn’t work, prepare by copying the broken files to some secure storage and wait for news about a free decryptor. It’s very unlikely but possible that a decryptor for Eris is developed and released for free.

How to remove Eris

The virus is already recognized by most professional antivirus programs, so any strong and reputable tool (like Spyhunter) should be able to find Eris and remove it. Alternatively, you can format your disk, but even then, it’s advisable to sweep it with an antivirus tool — there is a handful of very sophisticated trojans which can survive even a reinstall.

Automatic Malware removal tools

How to recover Eris Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Eris Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Eris Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Eris Ransomware. You can check other tools here.  

Step 3. Restore Eris Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Eris Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Eris Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.