Malware Removal 101: Eris Ransomware

Just any other ransomware, Eris ransomware is easy to remove, the only problem is the decryption of your files since no decrypter is available to date.

I didn't test numerous antivirus, just two.  Kaspersky Cloud Security and 360 Total Security Essentials.

Ransomware running in memory

Kaspersky Cloud Security

• Quick Scan terminated and deleted the malware

360 Total Security Essentials

• Malware is detected and deleted as soon as 360 TSE is enabled.

Note:  There are no changes created by Eris in the Startup folder nor in HKLM/HKCU\...\Run.  I have to point this out because majority of removal instructions I've seen are just using templates without having an actual ransomware sample to work with.  They give instructions to find entries (keys) made by the malware in the registry.

Startup entries while ransomware is active

 

You can use any antivirus/antimalware as long as it's updated and can detect Eris.

Eris Ransomware

Eris Ransomware

Virustotal

This is a new ransomware.  Sample is allowed to run in a sandboxed environment.  Encryption is fast as it encrypted almost all of my documents in drive C: in under a minute the sample was running.

Removal is easy, just do a full scan with an updated antivirus/antimalware (refer to virustotal.com for list of programs that can detect Eris ransomware).

Decryption is another story.  Although I've seen may sites with instructions on how to decrypt Eris, I doubt if any of them really works.

Ransomware Readme

Documents encrypted by Eris Ransomware

Original document filesize is reduced to zero byte after encryption

Encrypted document

Notes:  

• Ransomware sample is detected by Kaspersky Security Cloud.  Sample was tested with AV disabled
• AppCheck wasn't able to detect the encryption
• After the test, Recuva failed to recover any encrypted documents