Cyber Security Center

How to remove Erif ransomware


Erif ransomware is file-encrypting malware that belongs to the Djvu ransomware family. It encrypts files and adds the .erif file extension.

 

Nile ransomware note

Erif ransomware belongs to the notorious Djvu/STOP ransomware family, on which we have reported multiple times already. It has hundreds of versions, including Kook, Kuus and Nile ransomware. Detected by malware specialist Micheal Gillespie, this version adds the .erif file extension (e.g. image.jpg.erif) to encrypted files, hence why it’s known as Erif ransomware. It’s practically identical to other versions of Djvu ransomware but it’s nonetheless, a dangerous infection. The operators of this malware demand that victims pay $980 in ransom, or $490 if they contact them within 72 hours. However, paying the ransom is not recommended for multiple reasons, which will be explained further on in this report.

Some versions of Djvu malware are decryptable with Emsisoft’s Djvu/STOP decryption tool, but the decryptor mostly works on older versions. If users find their files encrypted with Erif ransomware, the only sure way to recover files is via backup. However, before accessing it and starting file recovery, users first need to remove Erif ransomware. Otherwise, backed up files may become encrypted as well.

Erif ransomware uses the standard distribution methods

As is the case with all Djvu versions and other ransomware, Erif malware uses spam emails, torrentsĀ  and malicious ads to spread. If users develop good browsing habits, they will be able to avoid the majority of malware.

One of the most important things to learn is to not open unsolicited email attachments. Spam emails often come with malicious attachments, which if opened could initiate malware. Spam emails carrying malware are often made to appear like they are important correspondence which users need to engage with. Spammers pretend to be from known companies or goverment organizations, and often claim that the attached file is an important document that needs to be reviewed. However, the abundance of spelling and grammar mistakes immediately gives away that the email is spam. Grammar mistakes and random/non-professional sender’s email addresses are the two most obvious signs that users are dealing with spam. Even if the email checks out, it’s always a good idea to scan all unsolicited attachments with anti-malware software or VirusTotal.

Users who pirate via torrents can also encounter malware quite often. Torrent sites are not properly regulated and often lack even the basic security measures. Malicious parties can easily disguise ransomware as a torrent for a movie, game, program, etc. Pirating copyrighted content via torrents is not only stealing but it’s also dangerous, though many users ignore this danger.

Extreme caution should also be taken when visiting high-risk websites that are known to have low-quality ads. Those ads could trick users into downloading dangerous content, including ransomware. Having adblocker enabled helps deal with this to some extent.

Erif ransomware encrypts files

Erif ransomware starts encrypting files as soon as it is executed. It targets important files, such as photos and documents, because they are important to users, and thus are valuable. When a file is encrypted, an .erif file extension is added to it. A _readme.txt ransom note is also dropped, with instructions for victims on how to recover files. Victims can buy the decryption tool for $980, or $490 if they contact malware operators within 72 hours. Users can contact them via helpmanager@mail.ch or restoremanager@airmail.cc. The ransom note is identical to the ones dropped by all other versions of the Djvu ransomware family.

Below is the ransom note:

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-mrns3LJpCF
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

Like always, victims are not recommended to contact these cyber criminals. Paying the ransom may seem like the best option but it does not guarantee file decryption. There have been plenty of cases when victims sent the money but received nothing in return, or the decryptor did not work. Furthermore, victims paying the ransom makes ransomware a very profitable business for them, which encourages them to continue.

Like we mentioned above, backup is the only sure way to recover files. Ransomware is one of the reasons why regularly backing up files is so important.

Erif ransomware removal

Users should only delete Erif ransomware with anti-malware software. It is a serious malware infection and users should not attempt to manually get rid of it. Once the ransomware is gone, users with backup can start file recovery. For users who do not have backup, Emsisoft provides a helpful thread.