Rig Exploit Kit Pushing Eris Ransomware into Drive-by Downloads
The RIG exploit kit has been spotted distributing the new ERIS Ransomware as a payload. By using the RIG exploit kit, vulnerable victims will find out that the ransomware is installed on their computer without their knowledge just by visiting a website.
The ERIS ransomware has been originally spotted in May 2019 by Michael Gillespie when submitted to his ID Ransomware site, but a sample was not available at the time. Over the weekend, exploit kit seeker nao_sec spotted that it was being distributed via a malicious ad campaign using the RIG exploit kit.
According to nao_sec, a malicious ad campaign using the popcash ad network redirects users to the RIG exploit kit. This is illustrated in the web requests captured below.
Once redirected to the exploit, nao_sec told BleepingComputer that the kit would attempt to exploit a Shockwave (SWF) vulnerability in the browser. If successful, it will automatically download and install ERIS Ransomware on the computer.
When ERIS Ransomware is installed, it will encrypt victim’s files and append .ERIS extension as shown below.
Each encrypted file contains a file marker of _FLAG_ENCRYPTED_ at the end of the file to indicate that it has been encrypted by ransomware.
In each folder that has been scanned, the ransomware will also create a ransom note named @ READ ME TO RECOVER @ .txt FILES which asks the victimized user to contact [email protected] for payment instructions. This ransom note contains a unique identifier that the victim must send to the developer of the ransomware so that they can perform a free file decryption test.
Unfortunately, at present, there is no way to decrypt files encrypted by ERIS for free. If anything changes, we’ll create a future article with additional findings.
@ READ ME TO RECOVER FILES @.txtÂ
Text of the ransom note:
*** *** *** READ THIS FILE CAREFULLY TO RECOVERY YOUR FILES *** *** *** ALL OF YOUR FILES HAVE BEEN ENCRYPTED BY "ERIS RANSOMWARE"! USING STRONG ENCRYPTION ALGORITHM. Every your files encrypted with unique strong key using "Salsa20" encryption algorithm: https://en.wikipedia.org/wiki/Salsa20 Which is protected by RSA-1024 encryption algorithm: https://en.wikipedia.org/wiki/RSA_(cryptosystem) shadow copy, F8 or recuva and other recovery softwares cannot help you, but cause Irreparable damage to your files! Technically no way to restore your files without our help. we only accept cryptocurrency Bitcoin (BTC) as payment method! for cost of decryption service. https://wikipedia.org/wiki/Cryptocurrency https://wikipedia.org/wiki/Bitcoin For speed and easily, please use localbitcoins website to purchase Bitcoin: https://localbitcoins.com * WE OFFER YOU 1 FREE FILE DECRYPTION (1024 KB) WITHOUT ANY COST! TO TRUST OUR HONESTY BEFORE PAYMENT. THE SIMPLE FILE MUST NOT BE ARCHIVED! -----BEGIN ERIS IDENTIFICATION----- [id] -----END ERIS IDENTIFICATION----- =========================================================================================================== (Decryption Instructions) 1. Send your "ERIS IDENTIFICATION" with one simple of your encrypted files (1024 KB) to our email address: [email protected] 2. Wait for reply from us. (usually in some hour) 3. Confirm your simple files are decrypted correct and ask us how to pay to decrypt all your files. 4. We will send you payment instructions in Bitcoin. 5. You made payment and send us TXID of Bitcoin transfer. 6. After we confirm the payment, you will soon get decryption package and everything back to normal. * IN CASE OF FOLLOWING OUR INSTRUCTION, FAST AND EASILY EVERYTHING IS BACK TO NORMAL LIKE THAT NEVER HAPPENED! BUT IF YOU USE OTHER METHODS (THAT NEVER EVER HELPS) YOU JUST DESTROY EVERYTHING FOR GOODNESS! BE A SMART AND SAVE YOUR FILES! NOT A FOOL! =========================================================================================================== =============================== * DO NOT MODIFY ENCRYPTED FILES * DO NOT MOVE ENCRYPTED FILES * DO NOT USE RECOVERY SOFTWARES =============================== ============================================================================================= (Frequently Asked Questions) Q: I can not pay for it, what I do now? A: Format your hard disk, re-install your softwares and start everything from begin! Q: What a guarantee I can recovery my files after payment? A: There is no any reason for us to do not give you decryption software and your special key. The only our goal is help you not hurt! =============================================================================================