What is Anubi Ransomware? And how does it implement its attack?
Anubi ransomware is a new ransomware-type of infection discovered by a malware security researcher named S!Ri. It appends the [[email protected]].anubi to its targeted files. When it infects a computer, Anubi will set an autorun first in the Windows Registry so it can automatically start once a user logs in. It then begins to scan the entire drive of the computer looking for files to encrypt. During the encryption, it appends the .[email_address].anubi extension to all the compromised files. Although it does not encrypt files on unmapped network shares, it does encrypt the files on the mapped network shares.
After it has finished the encryption process, it drops a ransom note in a text file named _READ_ME_.txt throughout the computer
“[WHAT HAPPENED]
Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail: [email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
[FREE DECRYPTION AS GUARANTEE]
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb
[HOW TO OBTAIN BITCOINS]
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller
by payment method and price
hxxps://localbitcoins.com/buy_bitcoins
hxxps://paxful.com/buy-bitcoin
hxxps://bitcointalk.org/
[ATTENTION]
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours – your key has been deleted and you cant decrypt your files
Your ID: [RANDOM CHARACTERS]”
As you can see, its ransom note contain instructions to contact the ransomware developer which is at [email protected] and send them the unique ID given at the bottom of the ransom note to get the payment instructions. The good thing about this ransowmare is that it is incredibly slow so it’s an advantage for victims as they can interrupt and then terminate the ransomware’s process before it can finish encrypting the files. To simply put it, you have a high chance of stopping this ransomware’s attack because it is slow as a snail.
How does Anubi ransomware multiply?
There isn’t much information regarding the ransomware’s distribution technique but security researchers guessed that it could be through malicious spam email campaigns. These spam emails contain a corrupted attachment or link which is responsible in dropping Anubi ransowmare in the computer and then installing it.
Eliminate Anubi ransomware using the removal instructions given below.
Step 1: Open the Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for suspicious processes that can be related to the Anubi Ransomware.
Right-click on the processes, then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 2: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Step 3: Look for Anubi ransomware or any related program and then Uninstall it.
Step 4: Hold down Windows + E keys simultaneously to open File Explorer.
Step 5: Go to the directories listed below and then look for the corrupted files such as its ransom note, _READ_ME_.txt.
- C:\Users\(your pcname)\AppData\Roaming
- %TEMP%.
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 6: Delete all the malicious files related to Anubi ransomware which you can find on the given directories above.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 7: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 8: Navigate to the following path:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
- HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\
- HKLM\SOFTWARE\Microsoft\Tracing\
Step 9: Delete the registry keys and sub-keys created by Anubi ransomware.
Step 10: Close the Registry Editor and empty your Recycle Bin.
Note: If Anubi ransomware has managed to encrypt several files before you stopped it, here’s a solution you can try to recover your files:
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Anubi ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Follow the advanced removal guide below to make sure that Anubi ransomware is completely eliminated from your computer.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.