Remove Anatel Ransomware and Restore .lok Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Anatel Ransomware and Restore .lok Encrypted Files

anatel-ransomware-sensorstechoforumA dangerous virus created for Portuguese-speaking countries has been detected by malware research experts to use the .lok file extension and a strong cipher to encrypt files. The files which are encrypted by the Anatel virus can no longer be accessed by the user, and the ransomware drops a LEIA.txt readme file which notifies the user that he must contact the cyber-criminals’ e-mail address for most likely making a ransom payoff. The name Anatel comes from the Brazilian Agency for Telecommunications. Users who have become victims of the Anatel crypto-virus are given recommendations by experts to remove this threat immediately and instead of paying the ransom to seek alternative methods for file reverting. We suggest you to red this article to learn more about how to remove Anatel Ransomware and attempt alternative methods to revert your files.

Threat Summary

Name

Anatel Ransomware

TypeRansomware
Short DescriptionThe malware encrypts users’ files and drops a ransom note afterwards.
SymptomsThe user may witness ransom messages and “instructions” and the files encrypted with an added .lok file extension.
Distribution MethodVia an Exploit kit.
Detection Tool See If Your System Has Been Affected by Anatel Ransomware

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Anatel Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Anatel Ransowmare – How Does It Infect

To cause a successful infection, researchers believe that Anatel ransomware is spread via massive spam e-mail campaigns. Such campaigns are a very expensive investment because they may either contain malicious attachments or malicious URL’s and since most e-mail providers have spam defensive mechanisms nowadays, it becomes trickier and trickier to spread malware via this method. However, the cyber-criminals behind Anatel Ransomware may have used sophisticated technology to conceal the malicious files, such as process obfuscators and browser redirecting web links which lead to malicious JavaScript, Exploit Kit or drive-by download attacks.

Anatel Ransomware Viewed In Depth

When the user opens malicious files by Anatel Ransomware, it immediately drops the payload files. Here are some of the folders in which malicious files by Anatel Ransomware may exist:

  • %AppData%
  • %SystemDrive%
  • %Local%
  • %LocalRow%
  • %User’s Profile%
  • %System%
  • %Windows%

After its malicious files have been dropped, the Anatel Ransomware virus may either run immediately or perform the safer action – modify registry keys to run when you start Windows. If it does so, you may find suspicious String Values associated with Anatel in the following Windows Registry Key:

In the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
and
Software\Microsoft\Windows\CurrentVersion\Run
In the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and
Software\Microsoft\Windows\CurrentVersion\RunOnce

After the encryption process by Anatel Ransowmare is initiated, it is reported by Symantec(Symantec.com) researchers that it looks for widely used types of files to encode them:

.asp .aspx .avi .bat .bk .bmp .css .csv .divx .doc .docx .html .index .jpeg .jpg .lnk .mdb .mkv .mov .mp3 .mp4 .mpeg .odt .ogg .pdf .php .png .ppt .pptx .psd .rar .sln .sql .txt .wav .wma .wmv .xls .xlsx .xml .zip

After it has encrypted the files, Anatel Ransowmare may also connect to several malicious hosts associated with the following domain to send generated decryption keys and other system information:

mpf1.16mb(dot)com

Researchers report that the host name, the user’s profile name along with the keys is sent out to cyber-criminals. After this has been done, Anatel ransomware drops its LEIA.txt file which translates to the word “Read” in the following location:

%SystemDrive%\Documents and Settings\All Users\Desktop\LEIA.txt

The file contains a brief message written In Portoguese:

“Anatel, seus arquivos foram criptografados
Exigmos o fim do bolqueio de franquias
Envie um email para {cyber-criminals’ e-mail address} para receber a senha
We are anonymous”
Approximate English Translation:
Anatel, the files were encrypted
We demand the end of the franchise block
Send an email to {cyber-criminals’ email address} to receive the password
We are anonymous

The encrypted files by this ransomware are appended the .lok file extension and they may look like the following:

Picture.jpg.lok

So far it is quite unclear as to why the ransom note ends with “We are anonymous” and why Anatel’s name is involved but theorists believe that the money generated from this attack may be used in a hacktivist attack.

Anatel Ransomware – Removal and File Restoration Alternatives

To remove Anatel Ransomware, we strongly suggest using the instructions which we have provided after this article. In case you are experiencing difficulties in manually getting rid of this virus, we suggest using an advanced anti-malware program to get automatically rid of this virus.

To restore your files, we suggest the solutions which we have provided below in step “3. Restore files encrypted by Anatel”. They are not 100 percent guarantee you will get your files back; however they are worth a try. Also, we suggest using file decryptors since this Ransomware may have a so-called CBC mode which may break the files if a decryptor other than the original is used.

Picture Icons by Freepik – Freepik.com

Manually delete Anatel Ransomware from your computer

Note! Substantial notification about the Anatel Ransomware threat: Manual removal of Anatel Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Anatel Ransomware files and objects
2. Find malicious files created by Anatel Ransomware on your PC
3. Fix registry entries created by Anatel Ransomware on your PC

Automatically remove Anatel Ransomware by downloading an advanced anti-malware program

1. Remove Anatel Ransomware with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Anatel Ransomware in the future
3. Restore files encrypted by Anatel Ransomware
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.