New Anubi Ransomware In the Wild

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A new ransomware called Anubi was discovered by Malwarebytes security researcher S!Ri that appends the .[anubi@cock.li].anubi extension to encrypted files. While not much is known about how this ransomware is distributed, as it is in the wild I thought I would provide a brief summary of the ransomware.

When the Anubi ransomware infects a computer it will first set an autorun in the Windows Registry so that it starts automatically when the user logs in. It will then begin scanning the attached hard drives for data files, including executables, and encrypt them.

When encrypting files it will append the .[email_address].anubi extension to the encrypted file's name. For example, a file named test.jpg, would be named using the current variant as test.jpg.[anubi@cock.li].anubi. During this process it will not encrypt files on unmapped network shares, but will on mapped network shares.
Click to expand...

The good thing about this ransomware is that it is incredibly slow. Due to this, there is a much greater chance that a victim will detect that the ransomware is running and terminate the process before it can finish encrypting the entire computer.

If any further information becomes available, I will be sure to update this article.
Click to expand...
 
  • Like
Reactions: Parsh, Weebarra, Venustus and 3 others
vemn

vemn

Level 6
Verified
Malware Hunter
Well-known
Feb 11, 2017
264
Thanks for sharing!
Wonder if the slow encryption is because it's performing data exfiltration at the same time as it is encrypting files.
Or its actual intend is for a "slow death" seeing ppl surface slowly... XD
Hopefully a dissect report will surface soon.
 
  • Like
Reactions: Weebarra, Venustus, frogboy and 1 other person
cruelsister

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
This one is not new. But note that the Blackhats are started to get wise to the fact that most (almost all) Startup Managers will not monitor startup registry entries that are created in HKCU. This is a really bad omission on the part of the startup managers and will lead to what amounts to undetectable persistence.
 
  • Like
Reactions: Parsh, Weebarra, Venustus and 5 others
vemn

vemn

Level 6
Verified
Malware Hunter
Well-known
Feb 11, 2017
264
cruelsister said:
This one is not new. But note that the Blackhats are started to get wise to the fact that most (almost all) Startup Managers will not monitor startup registry entries that are created in HKCU. This is a really bad omission on the part of the startup managers and will lead to what amounts to undetectable persistence.
Click to expand...
Omg Really? Didn't know that!

I would have thought major AV vendors will already do that (as in prevent at the point of attempting to write persistency).
And I'll also 2nd Opinion Scanners do checks on registry keys in HKCU?
 
  • Like
Reactions: Weebarra, Venustus, frogboy and 1 other person
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
Malware News Surge in Magniber ransomware attacks impact home users worldwide
Replies
2
Views
2,496
Security News
Jonny Quest
Jonny Quest
Adrian Ścibor
    • Like
    • +Reputation
In the wild ransomware threats on the rise – May 2024 test summary
Replies
16
Views
1,655
Security Statistics and Reports
Adrian Ścibor
Adrian Ścibor
Gandalf_The_Grey
    • Like
    • +Reputation
HelloKitty ransomware source code leaked on hacking forum
Replies
1
Views
1,751
News Archive
cruelsister
cruelsister

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top