Remove Anatel Ransomware and Restore .lok Encrypted Files - How to, Technology and PC Security Forum |

Remove Anatel Ransomware and Restore .lok Encrypted Files

anatel-ransomware-sensorstechoforumA dangerous virus created for Portuguese-speaking countries has been detected by malware research experts to use the .lok file extension and a strong cipher to encrypt files. The files which are encrypted by the Anatel virus can no longer be accessed by the user, and the ransomware drops a LEIA.txt readme file which notifies the user that he must contact the cyber-criminals’ e-mail address for most likely making a ransom payoff. The name Anatel comes from the Brazilian Agency for Telecommunications. Users who have become victims of the Anatel crypto-virus are given recommendations by experts to remove this threat immediately and instead of paying the ransom to seek alternative methods for file reverting. We suggest you to red this article to learn more about how to remove Anatel Ransomware and attempt alternative methods to revert your files.

Threat Summary


Anatel Ransomware

Short DescriptionThe malware encrypts users’ files and drops a ransom note afterwards.
SymptomsThe user may witness ransom messages and “instructions” and the files encrypted with an added .lok file extension.
Distribution MethodVia an Exploit kit.
Detection Tool See If Your System Has Been Affected by Anatel Ransomware


Malware Removal Tool

User ExperienceJoin our forum to Discuss Anatel Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Anatel Ransowmare – How Does It Infect

To cause a successful infection, researchers believe that Anatel ransomware is spread via massive spam e-mail campaigns. Such campaigns are a very expensive investment because they may either contain malicious attachments or malicious URL’s and since most e-mail providers have spam defensive mechanisms nowadays, it becomes trickier and trickier to spread malware via this method. However, the cyber-criminals behind Anatel Ransomware may have used sophisticated technology to conceal the malicious files, such as process obfuscators and browser redirecting web links which lead to malicious JavaScript, Exploit Kit or drive-by download attacks.

Anatel Ransomware Viewed In Depth

When the user opens malicious files by Anatel Ransomware, it immediately drops the payload files. Here are some of the folders in which malicious files by Anatel Ransomware may exist:

  • %AppData%
  • %SystemDrive%
  • %Local%
  • %LocalRow%
  • %User’s Profile%
  • %System%
  • %Windows%

After its malicious files have been dropped, the Anatel Ransomware virus may either run immediately or perform the safer action – modify registry keys to run when you start Windows. If it does so, you may find suspicious String Values associated with Anatel in the following Windows Registry Key:

In the key:
In the key:

After the encryption process by Anatel Ransowmare is initiated, it is reported by Symantec( researchers that it looks for widely used types of files to encode them:

.asp .aspx .avi .bat .bk .bmp .css .csv .divx .doc .docx .html .index .jpeg .jpg .lnk .mdb .mkv .mov .mp3 .mp4 .mpeg .odt .ogg .pdf .php .png .ppt .pptx .psd .rar .sln .sql .txt .wav .wma .wmv .xls .xlsx .xml .zip

After it has encrypted the files, Anatel Ransowmare may also connect to several malicious hosts associated with the following domain to send generated decryption keys and other system information:


Researchers report that the host name, the user’s profile name along with the keys is sent out to cyber-criminals. After this has been done, Anatel ransomware drops its LEIA.txt file which translates to the word “Read” in the following location:

%SystemDrive%\Documents and Settings\All Users\Desktop\LEIA.txt

The file contains a brief message written In Portoguese:

“Anatel, seus arquivos foram criptografados
Exigmos o fim do bolqueio de franquias
Envie um email para {cyber-criminals’ e-mail address} para receber a senha
We are anonymous”
Approximate English Translation:
Anatel, the files were encrypted
We demand the end of the franchise block
Send an email to {cyber-criminals’ email address} to receive the password
We are anonymous

The encrypted files by this ransomware are appended the .lok file extension and they may look like the following:


So far it is quite unclear as to why the ransom note ends with “We are anonymous” and why Anatel’s name is involved but theorists believe that the money generated from this attack may be used in a hacktivist attack.

Anatel Ransomware – Removal and File Restoration Alternatives

To remove Anatel Ransomware, we strongly suggest using the instructions which we have provided after this article. In case you are experiencing difficulties in manually getting rid of this virus, we suggest using an advanced anti-malware program to get automatically rid of this virus.

To restore your files, we suggest the solutions which we have provided below in step “3. Restore files encrypted by Anatel”. They are not 100 percent guarantee you will get your files back; however they are worth a try. Also, we suggest using file decryptors since this Ransomware may have a so-called CBC mode which may break the files if a decryptor other than the original is used.

Picture Icons by Freepik –


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share