Anubis Ransomware - How To Remove?

 

The God of afterlife is now attempting to send all your personal files to a graveyard. Anubis crypto-ransomware infection is a soulless monster which will have no problem getting a solid amount of your data encrypted with a strong algorithm. After that, the threatening figure will leave no time for objection. Instead, after the encoding has ruined the last executable, then Anubis virus will list its demands. The instructions will be seen in the background of users’ desktops and in a file, called “Decryption_instructions.txt”. Reading of this note is said to be essential if users want to have a chance in restoring their files to their former glory. Of course, Anubis virus won’t be shy and will probably demand a solid fee for the decryption key. We cannot clearly establish the amount of Bitcoins which will be required. Infected victims will have to discover this by contacting the provided email address for a more detailed instruction: support.code@aol.com or support.code@india.com. 

About Anubis Ransomware

Anubis ransomware will invade people’s computers like any other ransomware. It will most likely be proceeding as a Trojan as well. Why? Because the payload of this virus can be introduced to you as a completely different thing. While thinking that you are installing an adequate update, you might actually become jeopardized by a payload of a ransomware. To avoid such unfortunate fate, always download executables or programs from legitimate sources. If so it happens that you invited Anubis virus to play in your device, its presence might not be visible at first. It starts with little changes like making modifications to Windows Registry Keys for the sake of running the ransomware together with the entire system of computer. Basically, after you restart your device, the payload of Anubis ransomware will silently run in the background and won’t be immediately noticed by the owner of the device. Yes, there might be some minor inconveniences, like the computer will freeze or crash, but nothing that users have never experienced. If your computer starts to act bizarre, do not count it as an insignificant accident. If you do, you might allow the payload of Anubis virus to encrypt all of your files.

anubisransomware-2-viruses

After that, every single file that is left unusable will be appended with the extension: .coded. This indicates that Anubis virus has made an executable completely useless. As we have already mentioned, the infected victims will be instructed to read “Decryption_instructions.txt” file to become better acquainted with the current situation. Furthermore, the frightening Anubis itself will be brought to your desktop background and urge you to contact the email address of crooks. The following message will be from the creators of Anubis virus. You can see that it is poorly-written and has some errors. It is presumable that the founders are not native English speakers and struggle with this language.

HELLO
Time is the most valuable thing you can have. At the moment all files on the computer encrypted. Do you want to understand how to get your data and save time, whrite to this address: support.code@aol.com
If you do not receive responses within 48 hours, write to: support.code@india.com.
Do not forget to read “Decryption Instruction” on your desktop.

How is Anubis Ransomware Distributed?

Anubis ransomware, an irritating and scary virus, can be found in random email accounts. If you happen to stumble upon a letter which seems to be important, please be sure that such message is relevant to you and not a simple hoax. You can do this by looking at the email addresses that send around such letters. If it is quite odd or just similar to the one that an official authority has, then delete the received message. It is a fact that some of the ransomware viruses are added as attachments to such letters. Furthermore, it is possible that a letter will urge you to visit a domain of some sort. This might also be a trick to get you infected with a payload: do not visit it.

How to Decrypt Files Encrypted by Anubis Ransomware?

Anubis is a newly discovered variant. For that reason, the decryption matter is yet unknown. We can say one thing clearly: do not contact the crooks and do not pay the demanded fee for the decryption key. The exact amount of money is not clearly indicated, but we can guess that it depends on the number of files that are ruined. It is very likely that you will only get bamboozled and not receive a functional key if you choose to pay. We advise you to wait for security researchers to come up with a decryption tool. Since Anubis virus seems to be based on open-source HiddenTear project, its decryption is a reachable goal. For the future, please store your files in backup storages that allow you to retrieve information anytime you want. It is also smart to keep your files in USB flash drives (but not constantly connected to the computer as many ransomware viruses are able to encrypt the data, found in the connected devices just as well).

For the elimination of Anubis virus, we recommend to use your selected anti-malware tool. If you have not yet picked one, we recommend to try Reimage, Spyhunter or Malwarebytes for this job. More information about decryption and manual removal can be found in the sections below.

How to recover Anubis ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Anubis ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Anubis ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to Anubis ransomware. You can check other tools here.


Step 3. Restore Anubis ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Anubis ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Anubis ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

     
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
October 17, 2016 03:45, January 2, 2017 09:17
 
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *