Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Anonymous Ransomware (Jigsaw Variant) and Restore .xyz Files

STF-anonymous-ransomware-jigsaw-variant-xyz-extension-ransom-note

The Jigsaw ransomware continues to have more variants. The latest one puts the extension .xyz to encrypted files. The crypto-virus can encrypt more than 120 file extensions, as previous variants did, and will create a ransom note afterward. The theme is again Anonymous, as we saw a similar one in the Epic variant. 250 dollars is the sum asked for the ransom payment. To know how to restore your files and remove the ransomware virus, you should read the article carefully to the end.

Threat Summary

Name Anonymous
Type Ransomware
Short Description Files with more than 120 different extensions get encrypted. Every hour files can be deleted if the ransom money is not paid.
Symptoms The ransomware encrypts files with the AES encryption algorithm. Encrypted files have a new extension – .xyz. The ransom price that is asked is 250 US dollars.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Anonymous

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Anonymous.

Anonymous Ransomware – How Is It Spread?

Anonymous ransomware could be spread via spam e-mails containing a file attachment. If the attachment is opened, the malicious code inside it injects itself in your computer system. That file might be named to something like firefox.exe or a similar name of a known program, pretending that it is useful and trying to trick people into opening it.

Most of the previous variants of the Anonymous ransomware were also spread through social media networks and sites for file-sharing, too. DropBox was utilized as an another distribution method for the original – Jigsaw ransomware. The best thing you can do to avoid infection is to be wary of suspicious websites and links and even of files with unknown origin. From them, you could easily find malware, which can infect your machine with the Anonymous ransomware virus.

Anonymous Ransomware – Technical Overview

This encryption virus is called Anonymous and it is part of the Jigsaw ransomware family. Its name comes from the theme this variant used. This reminds us of the other Jigsaw variant – Epic Ransomware. In the ransom message, we can see the logo of the group Anonymous, with their slogan “We are Anonymous. We Are Legion. We do not forget. We do not forgive. Expect us”. After encryption, all of your files will be locked and unusable. The malware demands a fixed sum of money to be paid in BitCoins for decryption. If you do not comply with the rules set by the Anonymous ransomware, your files may get deleted on an hourly basis.

The ransomware will create the following file on a compromised computer:

%UserProfile%AppData\Local\MS\app_roaming.exe

Afterward, it will register itself in the Windows Registry as Microsoft’s Defender program, and pretend to be Windows Defender, so it can maintain persistence. This is the entry in the Windows Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Defender.exe %UserProfile%AppData\Roaming\MS\Defender.exe

The above registry value will automatically load the app_roaming.exe executable file of the ransomware with every start of Windows. Anonymous ransomware will start each time and the process will be registered in the Windows Task Manager – it is advised that you end the process from there, so no files could get erased.

After that, the Anonymous ransomware will show a lock screen which types out text like it’s a real-time event, trying to scare you further. Have a look at the lock screen message:

STF-anonymous-ransomware-jigsaw-variant-xyz-extension-ransom-note

The text from the lock screen reads:

Your data has now been fully encrypted
But don’t worry! this can be temporary
Follow the instructions and this virus will decrypt all the data
and then remove itself
However, time is crucial. Every hour, it will select some of them,
and delete permanently.
PLEASE NOTE: If you or you Anti-virus attempts to remove this virus,
You will be responsible for getting rid of the ONLY way to getting you DATA back.
During the first 24 hour you will only lose a few items, actioned every hour
the second day a few hundred, the third day a few thousand.
If you turn off you computer, or attempt remove the virus
or try to close this window, it will start up again
and WILL delete 1000 files as a punishment.
Once you make the payment, click the confirmation button below and it will begin to
automaticlly decrypt process all data and the virus will remove itself once completed.
The ball is now in your court.

Your Move _

TIMER

1 file will be deleted.

View encrypted files.

Please, send at least $250 worth of Bitcoin here

I made a payment now give me back my files!

The ransomware wants you to make a payment of at least 250 US dollars in Bitcoin currency. It threatens you with the deletion of files for every hour you do not pay. The demanded ransom price will not increase with time. If you end the process from the Task Manager, you shouldn’t get files deleted.

Paying the ransom money demanded by the Anonymous ransomware is not advised. Nobody can make you a guarantee that you will get your files back in that way. Plus, the money will go to cyber-criminals and will aid them in their criminal activities.

Be aware that at the end of the article you will find yourself a few ways to restore your data. The malware researcher that cracked the original Jigsaw ransomware, Michael Gillespie, has also updated his decryption tool, and you can find it among the file restoration ways below.

The Anonymous ransomware searches to encrypt files with various extensions, on each kind of storage device you might own – a SSD, a HDD, both locally and externally. The Anonymous variant encrypts a bit more than 120 file extensions, as its past variants. A big portion of them are listed below:

STF-anonymous-ransomware-jigsaw-variant-xyz-extension-encrypted-file

→ .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .raw, .rb, .jpeg, .jpg, .js, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java

The AES algorithm is used for the encryption of the files. The ransomware sets the .xyz extension to all locked files. If you restart your computer, there is a possibility that you might lose 1,000 of your files.

A solution to restore all of your files is given below. In case you already rebooted your PC system after the infection and lost a part of your files – do not worry. Data Recovery software could still aid in the recovery of your lost data.

Remove Anonymous Ransomware and Restore .xyz Files

If Anonymous ransomware infected your machine, do not panic, as there is already a solution available for getting your files decrypted for free. If you want to get rid of the ransomware, you should have some experience in removing viruses. Check the instructions manual given below to see how you can recover your files.

Manually delete Anonymous from your computer

Note! Substantial notification about the Anonymous threat: Manual removal of Anonymous requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Anonymous files and objects.
2. Find malicious files created by Anonymous on your PC.
3. Fix registry entries created by Anonymous on your PC.

Automatically remove Anonymous by downloading an advanced anti-malware program

1. Remove Anonymous with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Anonymous in the future
3. Restore files encrypted by Anonymous
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.