Angus Ransomware - How to remove

Angus is a file type used to mark files that were encrypted by a ransomware virus. It’s a meaningless name that’s chosen randomly or at the discretion of the criminals who developed the cryptovirus. Angus happens to be used by a couple of ransomware types:

• Phobos – file.type.id[XXXXXXXX-2315].[[email protected]].angus
• Ouroboros – file.type.Email=[[email protected]]ID=[XXXXXXXXXXXXXXX].Angus

It’s not special for different ransomware infections to use the same fake extension, it only makes the infections more difficult to research. The Ouroboros Angus version is around a month old, while the Phobos version is newly discovered by a researcher. The latter is the bigger threat at the moment.

Angus ransomware in short:

Classification of Angus ransomware	Ouroboros (VirusTotal link) Phobos (VirusTotal link)
How ransomware spreads	Pirated software Malicious emails RDP
Restore the files locked by Angus	Restore from Backups Wait for a free decryption solution (for Phobos) or use the existing one (Ouroboros) Use data recovery, extract data from big files, etc.
Angus removal	Scan the system with an anti-malware tool (SpyHunter) Repair system settings

How Angus infects computers

Angus ransomware, whether Phobos or Ouroboros, uses a few different methods for distribution:

• Piracy
• Malicious emails
• Remote Desktop hacking

Firstly, fake activators, cracks, cracked installers, and pirated software in general has a chance to be infected with some kind of ransomware, like Angus. Torrent sites are a great medium for malware to spread, even while moderators try to weed out malicious files. Also, sometimes ransomware distributors create fake sites for real or fake software and upload their ransomware that way, then share the links to the malicious site using ads or email.

Malicious email spam is another candidate for how Angus got on your system. Some emails carry infected files, others have download links for malicious files. Some of the emails are general, others are targeted to a specific person or company. The emails come in a variety of forms, from fake virus warnings, to mail order updates. They’re only limited by the imagination of Angus’ distributors.

Most of all, Angus is likely to infect computers through an exposed RDP connection. Cyber-criminals like to scan for RDP connection on the default port and brute-force login credentials. They might also have stolen the credentials using phishing. Either way, Angus gets in the system, any security measures are disabled, and the ransomware gets to work.

Ransomware infection symptoms

The first and most obvious consequence of an Angus infection is that files don’t open anymore. Their names are also changed to include the victim’s unique ID, the email address of the extortionists, and “.angus”.

In the case of Phobos Angus:

file.type.id[XXXXXXXX-2315].[[email protected]].angus

In case of Ouroboros Angus

file.type.Email=[[email protected]]ID=[XXXXXXXXXXXXXXX].Angus

Besides the files being encrypted and renamed, other malware may have been installed in the system, local backups deleted. Both Anguses also leave behind ransom notes.

Phobos Angus shows a colorful html document in a pop-up after it’s done encrypting files:

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the email [email protected]
Write this ID in the title of your message XXXXXXXX-2315
You have to pay for decryption in Bicoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Meanwhile, the Ouroboros Angus shows a different message:

Your Files Have Been Encrypted
If You Need Your Files You Should Pay Decryption Price
The Steps For Getting Decryption Tool :
1-Send Id On The Files Or  HowtoDecrypt.txt Files to Our Email
2-Send 1MB File For Getting Decryption Test to Make Sure You Can Get Your Files Back With Us(The Test File Should Not Contain Valuable Data Like Databases Excel Sheets or Backups)

Both these messages ask for a ransom in bitcoin and they promise to decrypt sample files to prove that they can do it. Both Phobos and Ouroboros also have stories of victims paying the ransom and never getting a working decryption solution, too.

How to restore Angus files

The best way to get back your data after a ransomware attack is always backups, but in case that isn’t an option for you, here are the other possible solutions:

Angus Phobos decryption

Angus is similar to Age, Calix, Caley, and other Phobos ransomware. It’s not currently decryptable. Phobos is very secure and one of the most widespread ransomware infections. Its makers know what they’re doing. Unfortunately, this means that there is no way to get a free decryption solution. You can play around with big files and see if you can extract anything useful from the unencrypted portions, and maybe, with the help of a specialist, you can recreate some of the data. You might also be able to recover some of the data that Angus cost you by using data recovery programs.

Phobos Angus is genuinely not decryptable because the cryptography is well implemented in this ransomware. The Ouroboros version is different, though.

Angus Ouroboros decryption

Ouroboros Angus is similar to Kronos. Ouroboros ransomware used to be a wiper – it used to just overwrite the files with zeroes, making them completely useless. But now, Angus and the other Ouroboros types actually use encryption, so the files are not totally ruined.

Specialists seem to be able to restore some of the files, so that might be an option. A volunteer developed an Ouroboros decoder (direct download link) and might be able to help people decrypt Angus files. Just be very careful and look out for scammers.

It looks like a new version of Ouroboros is already out and it’s more secure than Angus, so it’s unlikely that Angus is being distributed actively anymore. New Ouroboros infections are currently without a decryption solution.

How to remove Angus ransomware

Although getting rid of the infection does not restore the files, it’s still very important to do. You can use any competent anti-malware scanner tool that you trust, such as SpyHunter. If one tool doesn’t find anyting, use another to make sure that the infection is gone.

Also, there’s a lot of fixing to be done after Angus is gone because of all the damage that the ransomware did to your settings, like uninstalling the antivirus tool that you had before – that’s sometimes done by Phobos infections.

Additionally, it’s very important to secure your RDP going forward, as well as to set up backups from which you can restore files and which cannot be reached by ransomware infections. It’s not enough for backups to be password-protected because some ransomware have modules with giant lists of popular passwords and usernames and brute-force them to unlock network shares.

Automatic Malware removal tools

How to recover Angus Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Angus Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Angus Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Angus Ransomware. You can check other tools here.  

Step 3. Restore Angus Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Angus Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Angus Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.