If your documents, photos and music does not open normally, their names changed or .[anubi@cock.li].anubi added at the end of their name then your computer is infected with a new Anubi ransomware virus from a family of file-encrypting ransomware. Once launched, it have encrypted all personal files stored on a PC drives and attached network drives.
The Anubi ransomware is a virus, that made to encrypt the personal files found on infected personal computer using very strong hybrid encryption with a large key, adding the .[anubi@cock.li].anubi extension to all encrypted personal files. Once the encryption procedure is finished, it will open a ransomnote offering decrypt all users photos, documents and music if a payment is made.
The Anubi ransomware offers to write an e-mail to anubi@cock.li in order to get a key to decrypt files. Important to know, currently not possible to decrypt .anubi files without the private key and decrypt program. If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all documents, photos and music! If you do not want to pay for a decryption key, then you have a chance to recover files encrypted by Anubi virus for free.
Therefore it’s very important to follow the step-by-step instructions below sooner. The guidance will assist you to get rid of Anubi virus. What is more, the steps below will help you restore encrypted documents, photos and music for free.
Table of contents
- What is Anubi ransomware
- How to decrypt .anubi files
- How to remove Anubi ransomware virus
- How to restore .anubi files
- How to prevent your computer from becoming infected by Anubi ransomware?
- Finish words
What is Anubi ransomware
Anubi is a variant of crypto viruses (malware that encrypt personal files and demand a ransom). It affects all current versions of Microsoft Windows operating system such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware uses very strong hybrid encryption with a large key to eliminate the possibility of brute force a key which will allow to decrypt encrypted photos, documents and music.
When the ransomware virus infects a computer, it uses system directories to store own files. To run automatically whenever you turn on your PC system, Anubi ransomware creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.lrf, .7z, .xbdoc, .mef, .wp5, .bkp, .zif, .m3u, .jpg, .pkpass, .layout, .esm, .kf, .lbf, .1st, .ppt, .vtf, .bay, .dba, .xar, .ltx, .z3d, .fos, .big, .xpm, .itl, .der, .bc7, .arch00, .cr2, .re4, .mlx, .ods, .rw2, .docx, .xll, .vdf, .py, .z, .sie, .1, .ibank, .psd, .xlsm, .wmv, .sav, .wpd, .rtf, .srf, .wcf, .xlk, .ai, .wma, .rgss3a, .sid, .y, .t13, .xlsx, .wmf, .blob, .apk, .srw, .js, .wpb, .raf, .zdb, .txt, .lvl, .wsd, .rwl, .rofl, .dcr, .yml, .upk, .wgz, .wmv, .zabw, .zw, .wbd, .wotreplay, .xls, .wbm, .wdb, .slm, .wb2, .crw, .wmo, .xmmap, .x, .x3f, .zip, .pdd, .db0, .cer, .wps, .wp4, .ff, .jpeg, .sis, .syncdb, .ptx, .snx, .cfr, .wsc, .itm, .pfx, .orf, .wp6, .x3f, .zip, .iwd, .pef, .p7b, .sr2, .hvpl, .odm, .wpg, .3ds, .vpp_pc, .wpw, .gdb, .xmind, .wpl, .avi, .hkx, .dazip, .accdb, .wbk, .wmd, .cdr, .odt, .ncf, .mcmeta, .kdc, .mdbackup, .xwp, .nrw, .rar, .hplg, .dng, .css, .xbplate, .webdoc, .eps, .2bp, .webp, .m4a, .wpe, .wp, .map, .vfs0, .xdl, .d3dbsp, .dwg, .xdb, .wm, .sidn, .mdb, .0, .wp7, .xy3, .xxx, .ysp, .dmp, .yal, .mp4, .docm, .p12, .cas, .wpa, .itdb, .x3d, .ws, .jpe, .ztmp, .xls, .p7c, .wbmp, .wdp, .pptm, .das, .wbc, .wav, .bc6, .gho, .sum, .sidd, .fsh, .wn, .epk, .raw, .hkdb, .wsh, .wire, .xlsx, .sb, .forge, .odp, .xf, .dxg, .vpk, .zi, .odb, .flv, .qdf, .xlsb, .menu, .mov, .litemod, .bar, .wpt, .pem, .arw, .w3x, .rb, .xx, .ntl, .psk, .wps, .mrwref, .wot, .wbz, .icxs, .csv, .tor, .indd, .rim, .tax, .zdc, .wma, .svg, wallet, .mpqge, .pptx, .mdf, .xyw, .bsa, .m2, .bik, .asset, .pst, .desc, .xyp, .r3d, .xlsm, .bkf, .iwi, .doc, .pak, .wpd, .xlgc, .ybk, .qic, .wri, .crt
Once a file is encrypted, its extension changed to [anubi@cock.li].anubi. Next, the virus creates a file called “__READ_ME__.txt”. This file contain guide on how to decrypt all encrypted files. An example of the tutorial is:
[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: anubi@cock.li You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. [FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb [HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins https://paxful.com/buy-bitcoin https://bitcointalk.org/ [ATTENTION] Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Your ID:
The Anubi virus actively uses scare tactics. It is trying to force the user of the infected computer, do not hesitate to pay a ransom, in an attempt to recover encrypted photos, documents and music.
How to decrypt .anubi files
Currently there is no available method to decrypt .[anubi@cock.li].anubi files, but you have a chance to recover encrypted files for free. The virus uses very strong hybrid encryption with a large key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the makers of the Anubi ransomware virus entire amount requested – the one method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the developers of the Anubi virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
How to remove Anubi ransomware virus
Before you open the procedure of restoring personal files which has been encrypted, make sure Anubi ransomware is not running. Firstly, you need to get rid of this ransomware permanently. Happily, there are several malicious software removal tools that will effectively detect and remove Anubi virus and other crypto virus malware from your PC system.
Use Zemana Anti-malware to remove Anubi
Zemana Anti-malware highly recommended, because it can detect security threats such Anubi virus, ‘ad supported’ software and other malicious software that most ‘classic’ antivirus software fail to pick up on. Moreover, if you have any Anubi removal problems which cannot be fixed by this tool automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
- Visit the following page to download Zemana AntiMalware. Save it to your Desktop so that you can access the file easily.
Zemana AntiMalware
164104 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your internet browser will open the “Save as” prompt. Please save it onto your Windows desktop.
- After downloading is finished, please close all programs and open windows on your computer. Next, start a file called Zemana.AntiMalware.Setup.
- This will open the “Setup wizard” of Zemana AntiMalware (ZAM) onto your computer. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Free will run and display the main window.
- Further, click the “Scan” button to begin scanning your machine for the Anubi ransomware and other kinds of potential threats such as malicious software and potentially unwanted programs. A system scan may take anywhere from 5 to 30 minutes, depending on your personal computer. During the scan Zemana Anti Malware (ZAM) will scan for threats present on your computer.
- Once the scanning is done, Zemana AntiMalware will show a list of all threats found by the scan.
- Review the scan results and then click the “Next” button. The utility will delete Anubi ransomware virus and other security threats. After finished, you may be prompted to restart the system.
- Close the Zemana Anti-Malware and continue with the next step.
How to automatically remove Anubi with Malwarebytes
Remove Anubi virus manually is difficult and often the ransomware is not completely removed. Therefore, we advise you to use the Malwarebytes Free that are completely clean your computer. Moreover, the free program will help you to remove malware, PUPs, toolbars and adware that your PC can be infected too.
- Click the link below to download MalwareBytes. Save it on your Desktop.
Malwarebytes Anti-malware
326459 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- After downloading is done, close all applications and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, press Next button and follow the prompts.
- Once install is done, click the “Scan Now” button for checking your computer for the Anubi ransomware and other security threats. During the scan MalwareBytes Anti-Malware (MBAM) will search for threats present on your computer.
- As the scanning ends, MalwareBytes Anti Malware (MBAM) will open a list of detected threats. Review the report and then click “Quarantine Selected”. When that process is finished, you may be prompted to reboot your system.
The following video offers a step-by-step tutorial on how to remove browser hijacker infections, ‘ad supported’ software and other malware with MalwareBytes Free.
Scan your computer and remove Anubi ransomware with KVRT
If MalwareBytes antimalware or Zemana antimalware cannot remove this ransomware virus, then we recommends to run the KVRT. KVRT is a free removal tool for ransomwares, adware, potentially unwanted programs and toolbars.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it directly to your Microsoft Windows Desktop.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you’ll see the Kaspersky virus removal tool screen as displayed on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button .Kaspersky virus removal tool program will scan through the whole system for the Anubi virus and other known infections. This procedure may take some time, so please be patient. While the tool is scanning, you can see how many objects and files has already scanned.
After KVRT has completed scanning, KVRT will show a scan report as on the image below.
When you are ready, press on Continue to start a cleaning task.
How to restore .anubi files
In some cases, you can restore files encrypted by Anubi virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Use shadow copies to recover .anubi files
In some cases, you have a chance to recover your personal files which were encrypted by the Anubi ransomware. This is possible due to the use of the tool called ShadowExplorer. It is a free application which designed to obtain ‘shadow copies’ of files.
Download ShadowExplorer on your Windows Desktop by clicking on the following link.
438805 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Double click ShadowExplorerPortable to launch it. You will see the a window as on the image below.
In top left corner, select a Drive where encrypted personal files are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as displayed on the image below.
Recover .anubi files with PhotoRec
Before a file is encrypted, the Anubi ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover programs like PhotoRec.
Download PhotoRec by clicking on the following link.
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the following example.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll open a screen as on the image below.
Select a drive to recover as displayed on the image below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as displayed in the following example.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is done, press OK button.
Next, click Browse button to choose where restored personal files should be written, then press Search.
Count of restored files is updated in real time. All recovered files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as shown below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to prevent your computer from becoming infected by Anubi ransomware?
Most antivirus programs already have built-in protection system against the virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your computer from Anubi ransomware virus
Download CryptoPrevent by clicking on the link below. Save it to your Desktop.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is finished, you will be displayed a window where you can select a level of protection, as on the image below.
Now click the Apply button to activate the protection.
Finish words
Now your PC system should be clean of the Anubi virus. Remove Kaspersky virus removal tool and MalwareBytes Free. We suggest that you keep Zemana AntiMalware (ZAM) (to periodically scan your personal computer for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove Anubi virus from your personal computer, then ask for help in our Spyware/Malware removal forum.