Remove AnonPop Fake Ransom Virus and Restore Deleted Files - How to, Technology and PC Security Forum |

Remove AnonPop Fake Ransom Virus and Restore Deleted Files

Warning: Creating default object from empty value in /usr/hosting/sensorstechforum-com/ on line 276

Warning: Creating default object from empty value in /usr/hosting/sensorstechforum-com/ on line 334

Anonymous-encrypted-anonpop-sensorstechforumA devastating virus has appeared on the malware radar, known as AnonPop has been deleting files of infected computers, reports indicate. The virus has been reported to infect users via several different techniques. The worst part is that the sinister individuals behind this twisted cyber threat do not encrypt your files, and they delete them instead. This is particularly frustrating. However, researchers report that there are several methods to restore the files using special software. For more information on how to delete this ransomware yourself and restore the deleted files, make sure to go through this article to find out.

Threat Summary

TypeFake ransomware. Lockscreen.
Short DescriptionAnonPop immediately deletes files of all drives and folders possible and leaves a fake ransom note asking the user to pay and lying to him/her that the files are encrypted.
SymptomsFiles are deleted and a fake ransom note is set as what appears to be a screensaver, locking the user out of the computer.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by AnonPop


Malware Removal Tool

User ExperienceJoin our forum to Discuss Locky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

AnonPop Fake Ransomware Virus – Spread

To effectively infect users on a massive scale, the AnonPop ransomware may be spread via massive spam campaigns which can distribute it either via malicious URLs or malicious files, both of which may be posted in spam messages all over the web:

  • Referral spam on blogs.
  • Forums.
  • Social media spam.
  • Spam e-mail messages with malicious URLs or attachments.

Such attachments may turn to be dangerous because a malicious macro, an Exploit Kit or even a malicious JavaScript attack may be used to infect unsuspecting users.

AnonPop Fake Ransomware – In Depth Analysis

As soon as it has infected the computer of the user, AnonPop immediately deletes every file with the exceptions of files that belong to Windows so that it does not break it. The virus looks in the following folders for files and erases them:

%Documents%, %Downloads%, %Pictures%, %Music%, %Videos%, %Contacts%, %Favorites%, %Searches%, Google’s Folders, Windows Defender’s Folders, Mozilla Firefox’s Folders, Internet Explorer’s Folders, %AppData%\Local\Temp\, %Desktop%
D:\ ,E:\ ,F:\ ,H:\ ,G:\ ,I:

In addition to this nightmare, the AnonPop Virus not only deletes the files but also locks the screen of the infected computer, setting an Anonymous-themed wallpaper which lies to the user that his files are encrypted:


The lock screen locks the user out of his computer by staying over the desktop. This strongly suggests that the registry keys for the ScreenSaver of the infected machine have been infected. This immediately points out to the following keys and values being affected:

In the key:
HKEY_USERS\.DEFAULT\Control Panel\Desktop
The values:

The AnonPop ransomware also can shut down your computer after displaying a similar pop-up message with the following text:


AnonPop Fake Ransomware – Conclusion, Remove It and Restore Deleted Files

It is so far unclear what kind of sick individuals are behind this ransomware and go around and delete users’ files left and right. The good news is that they did not use unconventional methods to erase the files from the sectors of the Hard Drive of the infected computers. This is why we have suggested a solution below, but for it to work you must do two things:

1. Remove the ransomware using either the manual(if you know where its files and registries are) or automatic instructions which are illustrated after this article. They will help you deal with it without reinstalling Windows and formatting your drive which is what we are aiming at for this method do work. For maximum effectiveness, experts advise scanning in safe mode with an anti-malware scanner which will automatically take care of AnonPop fake ransomware.

2.Do not reinstall Windows and do not format your hard drive.

3.1 Check your computer for enabled “File History,” any backup or Shadow Volume Copies. This will help you to immediately get all your files back if you have it enabled. To restore your data, your first bet is to check again for shadow copies in Windows using this software:

Shadow Explorer

3.2 Download Data Recovery Software – we have suggested few data recovery programs which you can download and use. They will automatically scan the sectors of your hard drive and recover what can be recovered. Bear in mind that you may not recover 100% of your files, but there is a high possibility that you may get most of your files back especially if this has happened very soon to you and you haven’t reformatted the memory of your drive.

Here are some of our suggestions for data recovery software:

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share