Remove Anonymous Ransomware (Jigsaw Variant) and Restore .xyz Files - How to, Technology and PC Security Forum |

Remove Anonymous Ransomware (Jigsaw Variant) and Restore .xyz Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


The Jigsaw ransomware continues to have more variants. The latest one puts the extension .xyz to encrypted files. The crypto-virus can encrypt more than 120 file extensions, as previous variants did, and will create a ransom note afterward. The theme is again Anonymous, as we saw a similar one in the Epic variant. 250 dollars is the sum asked for the ransom payment. To know how to restore your files and remove the ransomware virus, you should read the article carefully to the end.

Threat Summary

Short Description Files with more than 120 different extensions get encrypted. Every hour files can be deleted if the ransom money is not paid.
SymptomsThe ransomware encrypts files with the AES encryption algorithm. Encrypted files have a new extension – .xyz. The ransom price that is asked is 250 US dollars.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Anonymous


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Anonymous.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Anonymous Ransomware – How Is It Spread?

Anonymous ransomware could be spread via spam e-mails containing a file attachment. If the attachment is opened, the malicious code inside it injects itself in your computer system. That file might be named to something like firefox.exe or a similar name of a known program, pretending that it is useful and trying to trick people into opening it.

Most of the previous variants of the Anonymous ransomware were also spread through social media networks and sites for file-sharing, too. DropBox was utilized as an another distribution method for the original – Jigsaw ransomware. The best thing you can do to avoid infection is to be wary of suspicious websites and links and even of files with unknown origin. From them, you could easily find malware, which can infect your machine with the Anonymous ransomware virus.

Anonymous Ransomware – Technical Overview

This encryption virus is called Anonymous and it is part of the Jigsaw ransomware family. Its name comes from the theme this variant used. This reminds us of the other Jigsaw variant – Epic Ransomware. In the ransom message, we can see the logo of the group Anonymous, with their slogan “We are Anonymous. We Are Legion. We do not forget. We do not forgive. Expect us”. After encryption, all of your files will be locked and unusable. The malware demands a fixed sum of money to be paid in BitCoins for decryption. If you do not comply with the rules set by the Anonymous ransomware, your files may get deleted on an hourly basis.

The ransomware will create the following file on a compromised computer:


Afterward, it will register itself in the Windows Registry as Microsoft’s Defender program, and pretend to be Windows Defender, so it can maintain persistence. This is the entry in the Windows Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Defender.exe %UserProfile%AppData\Roaming\MS\Defender.exe

The above registry value will automatically load the app_roaming.exe executable file of the ransomware with every start of Windows. Anonymous ransomware will start each time and the process will be registered in the Windows Task Manager – it is advised that you end the process from there, so no files could get erased.

After that, the Anonymous ransomware will show a lock screen which types out text like it’s a real-time event, trying to scare you further. Have a look at the lock screen message:


The text from the lock screen reads:

Your data has now been fully encrypted
But don’t worry! this can be temporary
Follow the instructions and this virus will decrypt all the data
and then remove itself
However, time is crucial. Every hour, it will select some of them,
and delete permanently.
PLEASE NOTE: If you or you Anti-virus attempts to remove this virus,
You will be responsible for getting rid of the ONLY way to getting you DATA back.
During the first 24 hour you will only lose a few items, actioned every hour
the second day a few hundred, the third day a few thousand.
If you turn off you computer, or attempt remove the virus
or try to close this window, it will start up again
and WILL delete 1000 files as a punishment.
Once you make the payment, click the confirmation button below and it will begin to
automaticlly decrypt process all data and the virus will remove itself once completed.
The ball is now in your court.

Your Move _


1 file will be deleted.

View encrypted files.

Please, send at least $250 worth of Bitcoin here

I made a payment now give me back my files!

The ransomware wants you to make a payment of at least 250 US dollars in Bitcoin currency. It threatens you with the deletion of files for every hour you do not pay. The demanded ransom price will not increase with time. If you end the process from the Task Manager, you shouldn’t get files deleted.

Paying the ransom money demanded by the Anonymous ransomware is not advised. Nobody can make you a guarantee that you will get your files back in that way. Plus, the money will go to cyber-criminals and will aid them in their criminal activities.

Be aware that at the end of the article you will find yourself a few ways to restore your data. The malware researcher that cracked the original Jigsaw ransomware, Michael Gillespie, has also updated his decryption tool, and you can find it among the file restoration ways below.

The Anonymous ransomware searches to encrypt files with various extensions, on each kind of storage device you might own – a SSD, a HDD, both locally and externally. The Anonymous variant encrypts a bit more than 120 file extensions, as its past variants. A big portion of them are listed below:


→ .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .raw, .rb, .jpeg, .jpg, .js, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java

The AES algorithm is used for the encryption of the files. The ransomware sets the .xyz extension to all locked files. If you restart your computer, there is a possibility that you might lose 1,000 of your files.

A solution to restore all of your files is given below. In case you already rebooted your PC system after the infection and lost a part of your files – do not worry. Data Recovery software could still aid in the recovery of your lost data.

Remove Anonymous Ransomware and Restore .xyz Files

If Anonymous ransomware infected your machine, do not panic, as there is already a solution available for getting your files decrypted for free. If you want to get rid of the ransomware, you should have some experience in removing viruses. Check the instructions manual given below to see how you can recover your files.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share