Ransomware Research
Erica Ransomware
Erica is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on January 1, 2020, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Erica-2, Erica2020.
Quick Facts
- Ransomware Family
- Erica
- First Seen
- January 1, 2020
- Known Aliases
- Erica-2Erica2020
How Erica Ransomware Works
Targeted Files
df3324cbcf38361e7adc7de2c40c922c22b21ea8d815d96af194a894a3dcecbe -> transform encrypted filenames (without ext) to hex -> Biblio.mdb -> 4269626C696F.mdb
File Encryption Patterns
Erica modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
./\.[a-z0-9]{4}$/
./\.[a-z0-9]{6}$/
./\.[a-z0-9]{8}$/
./\.[a-z0-9]{3}-[a-z0-9]{3}-[a-z0-9]{3}$/
Ransom Note and Payment Demands
After encrypting files, Erica displays ransom notes demanding payment for file recovery:
HOW TO RESTORE ENCRYPTED FILES.TXT
Ransom message:
notes/HOW TO RESTORE ENCRYPTED FILES.TXT
Note locations:
EveryFolder
READ_THIS_FILE.TXT
Ransom message:
notes/READ_THIS_FILE.TXT
[#]Erica - HOW TO DECRYPT MY FILES[#].txt
Ransom message:
notes/[#]Erica - HOW TO DECRYPT MY FILES[#].txt
Note locations:
EveryFolder
/^Readme \.[a-z0-9]{3}-[a-z0-9]{3}-[a-z0-9]{3}\.txt$/
Note locations:
EveryFolder
Technical Indicators
Associated Executable Files
The following executable files are associated with Erica ransomware:
aqv33d4b.exe
scr.exe
wgjihfbx.exe
decrypter.exe
ywb3frg1.exe
fabian_sosarc.exe
ILK4MXYN.exe
7XICISPV.exe
UD91LM8Z.exe
girl.scr
ptsgu4o1.exe
girl.exe
Erica.exe
inbox.pe
kis-kis.exe
unpacked.exe
zsywqjjw.exe
rocket.exe
6777.exe
B78KUQ70.exe
305ER91N.exe
KYDXAX20.exe
bot.exe
1233.exe
Elastio Can Help You
Don't let Erica ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Erica ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Erica.
Last updated: July 30, 2025