Anubis Ransomware Remove and Restore .coded File - How to, Technology and PC Security Forum |

Anubis Ransomware Remove and Restore .coded File

anubis-ransomware-main-sensorstechforumStrangely enough, a ransomware virus variant that has Anubis for it’s theme has appeared, leaving encoded files in .coded file extension after it encrypts them. The virus then changes the wallpaper of the affected computer with a distinctive one showing the Egyptian god and alongside a ransom note explaining the situation to affected users. The virus also drops a “decryption_instructions.txt” file which aims to induce fear into users and get them to pay the ransom and contact the cyber-crooks for decryption instructions on their e-mail “[email protected]”. Malware researchers who are reverse engineering the Anubis virus are advising users not to make any payoff the cyber-criminals behind this e-mail address and to remove the virus. If you seek alternative methods to restore your files and removal instructions for Anubis ransomware, you should read this article thoroughly instead of having to pay to crooks who may or may not restore your files.

Threat Summary

Short DescriptionThe ransomware encrypts files with an encryption algorithm rendering them no longer oopenable until a ransom is paid to the cyber-criminals who are the only ones with the decryption keys. The Anubis virus is believed to be a part of the EDA2 ransomware family.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a decryption_instructions.txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Anubis


Malware Removal Tool

User ExperienceJoin our forum to Discuss Anubis Ransomware.
Data Recovery ToolStellar Phoenix Data Recovery Technician’s License Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Anubis Ransomware – How Does It Spread

Users can get infected with this variant of Anubis ransomware in multiple scenarios. The virus may spread via malicious web links posted all over the web in widely visited websites, such as social media sites as well as websites that have comments and user content, like Reddit, Facebook, Twitter, and others. The weblinks themselves may not be malicious, and this is what gets them posted online without being detected. They may, however, perform a browser redirect and transfer to the actual malicious URL that causes a drive-by-download or a file-less JavaScript type of infection.

The most likely scenario of getting infected with ransomware like the Anubis virus is via e-mail. The crypto-virus may be spammed via spamming software that sends multiple e-mails to a pre-configured list of targets. Such e-mails may contain various subjects that are convincing, like:

  • Invoice.
  • Payment confirmation.
  • PayPal transfers.
  • Letter from your bank.

Such subjects may convince users to open e-mail attachments that seem legitimate but contain the Anubis ransomware. Given that most users nowadays are inexperienced, it is already a proven method to cause malware infections, and this is why cyber-criminals prefer it.

Anubis Ransomware – Further Information

When initially activated, the malicious file may be the ransomware itself, especially if it is a .JS type of file. However, the virus may also be downloaded by third party malware that causes the infection. The payload of Anubis ransomware may be located under different names in one of the following key Windows folders:

commonly used file names and folders

After the payload has already been dropped, Anubis ransomware may cause the computer to slow down and even freeze while it performs it’s encryption process. Initially, the virus may either modify the registry entries in the keys “Run” and “RunOnce” of the infected computer or drop files in the %Startup% folder to make the file encryptor run every time Windows starts. It may also delete the shadow copies and file history to ensure that no files are restored. This is usually achieved by executing the following command in incognito mode:


After it’s preparation stage is complete, Anubis ransomware may target multiple types of files for encryption:

.jpg, .png, .bmp, .psd, .docx, .pptx, .xlx, .xls, .avi, .mpeg4, .mp3, .wmv and others

After having encrypted the targeted files, Anubis ransomware changes their core structure, and they can no longer be opened. The .coded file extension is added to the files, and they may appear like the following example:


After having enciphered your files, the ransomware virus Anubis drops a ransom note on the affected computer, named decryption_instructions.txt. It has the following distinctive message:

Your Computer ID: {uniqueID} <---- Remember it and send to my email. -------------------------- All your files are encrypted strongly.! -How to open my file? -You need Original KEY and Decrypt Program -Where can I get? -Email to me: [email protected] or [email protected] (Open file Decryption Instructions on your Desktop and send your SID)"

But the notification and persistence of Anubis does not end there. The virus also changes the background of the infected computer with Anubis’s image and the following message:

anubis-ransomware-wallpaper-sensorstechforum Source: demonslay335 (Twitter)

Malware researchers believe that this virus is part of the open-source HiddenTear (EDA2) ransomware project and might be decyptable.

Anubis Ransomware – Conclusion, Removal, and File Restoration

As a bottom line everyone who has had they PC’s infected with this variant of ransomware, should not pay any form of ransom. This is because ransomware researchers are often looking for a method to decrypt viruses like Anubis and they may release free decryptor soon. Until then, probably your best bet is to remove Anubis ransomware from your computer by following the instructions below and restore your files by seeing the alternative methods in step “2. Restore files encrypted by Anubis”. The best method to remove the ransomware, especially if you are having difficulties following the manual instructions and you are with no experience in detecting the malicious files is to use an advanced anti-malware program which will take care of Anubis ransomware automatically and swiftly. After having removed this virus, make sure that you backup your encrypted files before trying the file restoration methods because they may be risky in some circumstances.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share