Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Anubis Ransomware Remove and Restore .coded File

anubis-ransomware-main-sensorstechforumStrangely enough, a ransomware virus variant that has Anubis for it’s theme has appeared, leaving encoded files in .coded file extension after it encrypts them. The virus then changes the wallpaper of the affected computer with a distinctive one showing the Egyptian god and alongside a ransom note explaining the situation to affected users. The virus also drops a “decryption_instructions.txt” file which aims to induce fear into users and get them to pay the ransom and contact the cyber-crooks for decryption instructions on their e-mail “support.code@aol.com”. Malware researchers who are reverse engineering the Anubis virus are advising users not to make any payoff the cyber-criminals behind this e-mail address and to remove the virus. If you seek alternative methods to restore your files and removal instructions for Anubis ransomware, you should read this article thoroughly instead of having to pay to crooks who may or may not restore your files.

Threat Summary

Name Anubis
Type Ransomware
Short Description The ransomware encrypts files with an encryption algorithm rendering them no longer oopenable until a ransom is paid to the cyber-criminals who are the only ones with the decryption keys. The Anubis virus is believed to be a part of the EDA2 ransomware family.
Symptoms Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a decryption_instructions.txt file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Anubis

Download

Malware Removal Tool

User Experience Join our forum to Discuss Anubis Ransomware.
Data Recovery Tool Stellar Phoenix Data Recovery Technician’s License Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Anubis Ransomware – How Does It Spread

Users can get infected with this variant of Anubis ransomware in multiple scenarios. The virus may spread via malicious web links posted all over the web in widely visited websites, such as social media sites as well as websites that have comments and user content, like Reddit, Facebook, Twitter, and others. The weblinks themselves may not be malicious, and this is what gets them posted online without being detected. They may, however, perform a browser redirect and transfer to the actual malicious URL that causes a drive-by-download or a file-less JavaScript type of infection.

The most likely scenario of getting infected with ransomware like the Anubis virus is via e-mail. The crypto-virus may be spammed via spamming software that sends multiple e-mails to a pre-configured list of targets. Such e-mails may contain various subjects that are convincing, like:

  • Invoice.
  • Payment confirmation.
  • PayPal transfers.
  • Letter from your bank.

Such subjects may convince users to open e-mail attachments that seem legitimate but contain the Anubis ransomware. Given that most users nowadays are inexperienced, it is already a proven method to cause malware infections, and this is why cyber-criminals prefer it.

Anubis Ransomware – Further Information

When initially activated, the malicious file may be the ransomware itself, especially if it is a .JS type of file. However, the virus may also be downloaded by third party malware that causes the infection. The payload of Anubis ransomware may be located under different names in one of the following key Windows folders:

commonly used file names and folders

After the payload has already been dropped, Anubis ransomware may cause the computer to slow down and even freeze while it performs it’s encryption process. Initially, the virus may either modify the registry entries in the keys “Run” and “RunOnce” of the infected computer or drop files in the %Startup% folder to make the file encryptor run every time Windows starts. It may also delete the shadow copies and file history to ensure that no files are restored. This is usually achieved by executing the following command in incognito mode:

cerber-ransomware-shadow-command-sensorstechforum-3

After it’s preparation stage is complete, Anubis ransomware may target multiple types of files for encryption:

.jpg, .png, .bmp, .psd, .docx, .pptx, .xlx, .xls, .avi, .mpeg4, .mp3, .wmv and others

After having encrypted the targeted files, Anubis ransomware changes their core structure, and they can no longer be opened. The .coded file extension is added to the files, and they may appear like the following example:

coded-file-extension-remove-anubis-ransomware-sesorstechforum

After having enciphered your files, the ransomware virus Anubis drops a ransom note on the affected computer, named decryption_instructions.txt. It has the following distinctive message:

→”IMPORTANT INFORMATION!
————————–
Your Computer ID: {uniqueID} <---- Remember it and send to my email. -------------------------- All your files are encrypted strongly.! -How to open my file? -You need Original KEY and Decrypt Program -Where can I get? -Email to me: support.code@aol.com or support.code@india.com (Open file Decryption Instructions on your Desktop and send your SID)"

But the notification and persistence of Anubis does not end there. The virus also changes the background of the infected computer with Anubis’s image and the following message:

anubis-ransomware-wallpaper-sensorstechforum Source: demonslay335 (Twitter)

Malware researchers believe that this virus is part of the open-source HiddenTear (EDA2) ransomware project and might be decyptable.

Anubis Ransomware – Conclusion, Removal, and File Restoration

As a bottom line everyone who has had they PC’s infected with this variant of ransomware, should not pay any form of ransom. This is because ransomware researchers are often looking for a method to decrypt viruses like Anubis and they may release free decryptor soon. Until then, probably your best bet is to remove Anubis ransomware from your computer by following the instructions below and restore your files by seeing the alternative methods in step “2. Restore files encrypted by Anubis”. The best method to remove the ransomware, especially if you are having difficulties following the manual instructions and you are with no experience in detecting the malicious files is to use an advanced anti-malware program which will take care of Anubis ransomware automatically and swiftly. After having removed this virus, make sure that you backup your encrypted files before trying the file restoration methods because they may be risky in some circumstances.

Manually delete Anubis from your computer

Note! Substantial notification about the Anubis threat: Manual removal of Anubis requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Anubis files and objects
2.Find malicious files created by Anubis on your PC

Automatically remove Anubis by downloading an advanced anti-malware program

1. Remove Anubis with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Anubis
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.