What is AnonCrack ransomware? And how does it perform its attack?
AnonCrack ransomware is a new file-encrypting Trojan which mainly targets Spanish users based on its ransom note written in Spanish. This new ransomware is created based on HiddenTear – an open source platform used by tons of cyber criminals in creating ransomware infections. This was discovered on October 12, 2017 and is being delivered on vulnerable computers using a fake software. According to researchers this particular fake software is named as Paypal Money Sender V2.0.
Interestingly, majority of this ransomware’s target users are running 32-bit Intel 386 processors. It hides under the fake Paypal Money Sender V2.0 program. On its infiltration, the ransomware immediately scans the computer’s drives for the following file formats so that it can encrypt them.
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.
It encrypts the files using the AES 256 encryption algorithm and then adds the .crack file extension on the compromised files. After that, AnonCrack ransomware deletes all the Shadow Volume copies of the encrypted files to make sure that its victims won’t be able to recover them. This only shows that this ransomware is quite dangerous as without any decryption key, it would be hard for users to recover inaccessible files. Aside from that, this ransomware also drops a mscoree.dll file. Afterwards, the AnonCrack ransomware changes the computer Desktop’s background image which contains the ransom note written in Spanish:
“Tu computador ha sido hackeado y encriptado by ANONCRACK …!
¿COMO RECUPERAR TUS ARCHIVOS?
- Realiza el pago de 30 USD ha esta direccion bitcoin : 1CvWhugm6QbHisVvhyRuKn81kQgVVs4ov8
- Envia una captura del pago y nombre de tu PC ha este correo: [email protected]
- Una vez verificado tu pago, te enviaremos la KEY de DESENCRIPTACION
- Disfruta de tus archivos personales
Tus amigos ANONCRACK”
Aside from the wallpaper, the ransomware also drops a file named PAGO.txt which also contains the message written above. Once again, paying the ransom is not necessary and would only be a waste of your time and money as these cyber criminals are not exactly known to keep their words. It would be best if you remove the ransomware first from your PC to prevent it from damaging more of your files and for the meantime use your files’ backup copies to recover them while waiting for security experts to come up with a free decryptor.
How is AnonCrack ransomware disseminated online?
The ransomware spreads as a fake PayPal app – Paypal Money Sender V2.0 – which is likely distributed in forums and malicious websites. Take note that there is no such thing as Paypal Money Sender V2.0. An app like this does not exist. According to researchers, this fake software is also likely to spread in spam emails. Cyber criminals often disguise these kinds of spam emails as something urgent to trick users into downloading and opening the attachment. To avoid AnonCrack ransomware, you must be cautious about downloading apps or software from third party app stores or free sharing sites as some of these sites can’t be trusted and are often exploited by cyber crooks.
Here are a couple of removal instructions you must try to terminate AnonCrack ransomware from your PC.
Step 1: End the ransomware’s process by going to the Task Manager – tap Ctrl + Shift + Esc to do so.
Step 2: Under the Task Manager, go to the Processes tab and look for AnonCrack’s process and right click on it and select End Process or End Task.
Step 3: Close the Task Manager and open Control Panel by tapping the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Locate AnonCrack ransomware among the list of Installed programs and then uninstall it.
Step 5: Close Control Panel and tap Win + E keys to open File Explorer.
Step 6: Navigate to the following locations below and look for AnonCrack ransomware’s malicious components such as Paypal Money Sender V2.0 and other suspicious files and then delete all of them.
Step 7: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the following path:
Step 10: Delete the registry keys and sub-keys created by AnonCrack ransomware.
Step 11: Close the Registry Editor.
Step 12: Empty your Recycle Bin.
The steps given above aren’t enough to ensure the removal of AnonCrack ransomware so you’ll have to go over the advanced steps below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.