19/10/2016
18:53

Even Egypt has its ransomware: Anubis is back from afterlife

New ransomware, with an exotic name Anubis, encrypts all files in the computer and rename them by adding the .coded extension.





TG Soft' s C.R.A.M. has identified a new cryptomalware "Anubis".

This new crypto-malware, when is executed, encrypts all files in the computer and rename them by adding the .coded extension.

To descryt file, it is needed to send an email to get the key and the program to decode the files.
 

INDEX

==> Anubis how it manifests...
 
==> The ransom demandend by Anubis

==> How to protect yourself from Anubis

==> What to do to mitigate the damage from Anubis

==> Can I restore the encrypted files ?

==> Final thoughts
 



Anubis how it manifests...

  • FILE NAME: ANUBIS.EXE
  • SIZE: 117248 byte
  • MD5: 104d38009f6b36bab64b625735907c88

Anubis, when is running on the pc , creates a computer's identified that will be send to the server C&C 190.14.37.117 togheter with usename and the pc's name with a POST request to the following page:

http://190.14.37.177/rs/createkey.php

Form item: "idnumber" = "jPhHt30nkKhGBBYKzo1d"
Form item: "username" = "XXXXXX"
Form item: "pcname" = "XXXXXX-PC"

The response contains the key RSA that will be used by the Malware to decrypt the key AES.
After Anubis will send a POST request to the following page:

http://190.14.37.177/rs/savekey.php

Form item: "idnumber" = "jPhHt30nkKhGBBYKzo1d"
Form item: "pcname" = "XXXXXX-PC"
Form item: "aesencrypted" = "UslM29xzZfq4HRnwmwJ/vSi/vFSSZmdFJ7sAyEELB90eJaM
Vtb80hs2XnrPTou7SdixLEH8+XJRSsF0i5SgwThx5Fpv6i7epOTjgLcw70a+e5q7+OA2XRvip
KiQVbHUdBiBtqSlcBl20Mov7R9FTOSMrmPC9UGFSG4MUbqeJhpeqpjGpVU0i/oEXU1FjVX
MwXUr4v6e9sOmgGIM2wQ"

Where the information about a idnumber, pcname and aesencrypted are sent.

Anubis encrypts files with extensions such as those shown in the table below, and rename them by adding to the original name .coded esxtension.

.3dm, .3ds, .3g2, .3gp, .602, .aes, .arc, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .cmd, .cpp, .crt, .csr, .csv, .dbf, .dch, .dif, .dip, .djv .djvu, .doc .docb .docm .docx, .dot .dotm, .dwg .dotx, .exe, .fla, .flv, .frm, .gif, .gpg, .hwp, .ibd, .iso, .jar .java .jpeg, .jpg, .key, .lay .lay6, .ldf, .lnk, .log, .m3u, .m4u, .max, .mdb, .mdf, .mid, .mkv, .mov, .mp3, .mp4, .mpeg, .mpg .ms11, .myd, .myi, .nef, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .p12, .paq, .pas, .pdf, .pem, .php, .png, .pot .potm .potx .ppam, .pps .ppsm .ppsx, .ppt .pptm .pptx, .psd, .rar, .raw, .rtf, .sch .sldm .sldx, .slk, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .sql .sqlitedb, .tar, .tbk, .tgz, .tif .tiff, .txt, .uop, .uot, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wb2, .wk1, .wks, .wma, .wmv, .xlc, .xlm, .xls .xlsb .xlsm .xlsx, .xlt .xltm .xltx, .xlw, .zip, .7z
Back to top



The ransom demandend by Anubis:

Anubis, at the end of encryption, generates in the Desktop a file "Decryption Instructions"(without extension) with instructions for the payment of redemption:

IMPORTANT INFORMATION!
--------------------------
Your Computer ID: jPhHt30nkKhGBBYKzo1d <---- Remember it and send to my email.
--------------------------
All your files are encrypted strongly.!
- How to open my file?
 
- You need Original KEY and Decrypt Program
 
- Where can i get?
 
- Email to me: support.code@aol.com or support.code@india.com
(Open file Decryption Instructions on your Desktop and send your SID)

And  downloads an image(below) "ransom.jpg" in the user's folder:


Clicca per ingrandire l'immagine



Files that are encrypted by Anubis to be dencrypted require a payment of in BitCoin.
To obtain the information about the payment of the ransom you need to send an email as indicated in the image.

Back to top

 


How to protect yourself from Anubis:

Vir.IT eXplorer Pro is already able to block the crypto-Malware Anubis on early stage.
As already reported, the Vir.IT eXplorer Pro's Anti-CryptoMalware technology when properly installed, configured, updated and used, has held up very well to these attacks managing to save the encryption up to 99.63% of the files and allowing the recovery of encrypted files in the initial phase of the attack up to 100% thanks to the integrated BackUp technologies.
 

 

What to do to mitigate the damage from Anubis:

When the Alert screen on the side appears means that the Vir.IT eXplorer Pro's Anti-CryptoMalware integrated protection is acting and so, avoiding getting caught by the "panic" NOT close the window and perform the steps that are indicated:

  1. Make sure that Vir.IT eXplorer Pro is UP-TO-DATE;
  2. UNPLUG ETHERNET and/or EVERY NETWORK CABLE- by doing this, the computer will be phisically isolated from the network, thus containing the attack inside just one machine.
  3. PERFORM FULL SCAN using Vir.IT eXplorer Pro..
  4. DO NOT REBOOT OR TURN OFF THE COMPUTER in order to avoid further encryption, as stated before.

    In case of cryptomalware attack you should get in touch with Vir.IT eXplorer PRO's Tech Support as soon as possible. You can write an email toassistenza@viritpro.com, or call +39 049 631748 - +39 049 632750, Mon-Fri 8:30-12:30 and 14:30-18:30.
 Videata protezione Anti-CryptoMalware integrata in Vir.IT eXporer PRO
Clicca per ingrandire l'immagine
 
99,63%

Average percentage Expectation of protected files from encryption thanks to Vir.IT eXplore PRO's Anti-CryptoMalware protection ==> Check the information
Back to top

Can I restore the encrypted files:


With the Anti-Crypto Malware protection integrated in VirIT, the number of encrypted files by Anubis will be at most a few dozen.
The "sacrificed" files during the mitigation must be replaced with a backup copy, currently there aren't tools for recovering files .coded.
In the analyzed cases by the TG Soft's C.R.A.M., it was possible to recover files by using the shadow copies of the days preceding the attack.


Final thoughts:

If you opened an infected attachment and has been started the encryption, you could:

  1. you have Vir.IT eXplorer Pro installed, correctly set up, up-to-date and running on your pc - in this case, you must follow the instructions on the Alert message and you will manage to save AT LEAST 99.63% of your data;

  2. you have a AntiVirus software that DOESN'T DETECT, signal and halt the ongoing encryption - in this case you still could do

    • UNPLUG EVERY NETWORK CABLE

    • LEAVE YOUR COMPUTER TURNED OFF - every time the computer is rebooted and the malware is still active, a new encryption key will be used and the amount of money demanded as ransom will increase (note that paying the ransom does not guarantee the decryption and is therefore highlynot recommended)

Either way, remain calm and do not panic.

TG Soft
Anti-Malware Research Center

 


 

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: