Newly discovered ERIS ransomware leverages RIG exploit kit for propagation
- When the ERIS ransomware is installed, it encrypts a victim’s files and appends them with the .ERIS extension.
- Each encrypted file contains a file marker _FLAG_ENCRYPTED_ at the end of the file as a proof that it has been encrypted.
A newly discovered ERIS ransomware has been found recently. The attackers are using the RIG exploit kit to distribute the ransomware.
How does it propagate?
The ERIS ransomware was originally discovered in May 2019 by Michael Gillespie. However, it came to light after an exploit kit researcher who goes by the online name nao_sec spotted the ransomware being distributed in a malvertising campaign.
According to nao_sec, the campaign used the popcash ad network to redirect users to the RIG exploit kit. The RIG exploit kit looked for vulnerabilities on targeted computers and installed the ransomware without users’ knowledge.
About the ERIS ransomware
When the ERIS ransomware is installed, it encrypts a victim’s files and appends them with the .ERIS extension. Each encrypted file contains a file marker of _FLAG_ENCRYPTED_ at the end of the file as proof that it has been encrypted.
After this, the ransomware drops a ransom note named @ READ ME TO RECOVER FILES @.txt that instructs the victim to contact Limaooo@cock[.]li for payment instructions. The ransom note is unique to a victim and is marked with an ID number, which the victim must send to the attackers in order to receive a decryption key of one encrypted file.