RANSOM_EDA2ANUBIS.B
Trojan-Ransom.Win32.Nubi.f (Kaspersky); Ransom.Anubi (Malwarebytes); Ransom:Win32/Anunau.A (Microsoft)
Windows
Threat Type: Ransomware
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Downloaded from the Internet
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to certain websites to send and receive information.
It encrypts files found in specific folders. It drops files as ransom note.
TECHNICAL DETAILS
55,808 bytes
No
13 Oct 2017
Encrypts files, Displays message/message boxes, Connects to URLs/IPs
Arrival Details
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Ransomware drops the following files:
- %Program Data%\storage
It adds the following processes:
- vssadmin.exe Delete Shadows /All /Quiet
Autostart Technique
This Ransomware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Adobe Acrobat Optimizer x86 = ""{Malware Path}\{Malware File Name}" -autorun"
Other System Modifications
This Ransomware adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
EnableBalloonTips = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
EnableBalloonTips = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
TaskbarNoNotification = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
TaskbarNoNotification = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
DisableNotificationCenter = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
DisableNotificationCenter = "1"
HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = "1"
HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows Defender
DisableRoutinelyTakingAction = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableRoutinelyTakingAction = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows Defender\Reporting
DisableEnhancedNotifications = "1"
Other Details
This Ransomware connects to the following website to send and receive information:
- http://staticpane.{BLOCKED}s.army/rec.php?msg={random}
Ransomware Routine
This Ransomware encrypts files found in the following folders:
- All Drives
It avoids encrypting files with the following strings in their file path:
- __READ_ME__.txt
- System Volume Information
- $Recycle.Bin
- Boot
- Windows
It appends the following extension to the file name of the encrypted files:
- .[anubi@cock.li].anubi
It drops the following file(s) as ransom note:
- {Folders containing encrypted files}\__READ_ME__.txt
- %User Startup%\__READ_ME__.txt -> runs the file after execution
It leaves text files that serve as ransom notes containing the following text:
- [WHAT HAPPENED]
Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail: anubi@{BLOCKED}k.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
[FREE DECRYPTION AS GUARANTEE]
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb
[HOW TO OBTAIN BITCOINS]
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller
by payment method and price
https://localbitcoins.com/buy_bitcoins
https://paxful.com/buy-bitcoin
https://bitcointalk.org/
[ATTENTION]
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files
Your ID:
{RANDOM}
SOLUTION
9.850
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Identify and terminate files detected as RANSOM_EDA2ANUBIS.B
- Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
- If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
- If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Adobe Acrobat Optimizer x86 = ""{Malware Path}\{Malware File Name}" -autorun"
- Adobe Acrobat Optimizer x86 = ""{Malware Path}\{Malware File Name}" -autorun"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- EnableBalloonTips = "0"
- EnableBalloonTips = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- EnableBalloonTips = "0"
- EnableBalloonTips = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- TaskbarNoNotification = "1"
- TaskbarNoNotification = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
- TaskbarNoNotification = "1"
- TaskbarNoNotification = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- DisableNotificationCenter = "1"
- DisableNotificationCenter = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
- DisableNotificationCenter = "1"
- DisableNotificationCenter = "1"
- In HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows Defender
- DisableAntiSpyware = "1"
- DisableAntiSpyware = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- DisableAntiSpyware = "1"
- DisableAntiSpyware = "1"
- In HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows Defender
- DisableRoutinelyTakingAction = "1"
- DisableRoutinelyTakingAction = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- DisableRoutinelyTakingAction = "1"
- DisableRoutinelyTakingAction = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows Defender\Reporting
- DisableEnhancedNotifications = "1"
- DisableEnhancedNotifications = "1"
Step 5
Search and delete these files
- %Program Data%\storage
- {Folders containing encrypted files}\__READ_ME__.txt
- %User Startup%\__READ_ME__.txt
Step 6
Scan your computer with your Trend Micro product to delete files detected as RANSOM_EDA2ANUBIS.B. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 7
Restore encrypted files from backup.
Did this description help? Tell us how we did.