New Anubi Ransomware In the Wild

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Forum Veteran
Feb 4, 2016
2,516
15,625
3,578
53
Germany / Poland
A new ransomware called Anubi was discovered by Malwarebytes security researcher S!Ri that appends the .[anubi@cock.li].anubi extension to encrypted files. While not much is known about how this ransomware is distributed, as it is in the wild I thought I would provide a brief summary of the ransomware.

When the Anubi ransomware infects a computer it will first set an autorun in the Windows Registry so that it starts automatically when the user logs in. It will then begin scanning the attached hard drives for data files, including executables, and encrypt them.

When encrypting files it will append the .[email_address].anubi extension to the encrypted file's name. For example, a file named test.jpg, would be named using the current variant as test.jpg.[anubi@cock.li].anubi. During this process it will not encrypt files on unmapped network shares, but will on mapped network shares.
Click to expand...

The good thing about this ransomware is that it is incredibly slow. Due to this, there is a much greater chance that a victim will detect that the ransomware is running and terminate the process before it can finish encrypting the entire computer.

If any further information becomes available, I will be sure to update this article.
Click to expand...
 
  • Like
Reactions: Parsh, Weebarra, Venustus and 3 others
Thanks for sharing!
Wonder if the slow encryption is because it's performing data exfiltration at the same time as it is encrypting files.
Or its actual intend is for a "slow death" seeing ppl surface slowly... XD
Hopefully a dissect report will surface soon.
 
  • Like
Reactions: Weebarra, Venustus, frogboy and 1 other person
This one is not new. But note that the Blackhats are started to get wise to the fact that most (almost all) Startup Managers will not monitor startup registry entries that are created in HKCU. This is a really bad omission on the part of the startup managers and will lead to what amounts to undetectable persistence.
 
  • Like
Reactions: Parsh, Weebarra, Venustus and 5 others
cruelsister said:
This one is not new. But note that the Blackhats are started to get wise to the fact that most (almost all) Startup Managers will not monitor startup registry entries that are created in HKCU. This is a really bad omission on the part of the startup managers and will lead to what amounts to undetectable persistence.
Click to expand...
Omg Really? Didn't know that!

I would have thought major AV vendors will already do that (as in prevent at the point of attempting to write persistency).
And I'll also 2nd Opinion Scanners do checks on registry keys in HKCU?
 
  • Like
Reactions: Weebarra, Venustus, frogboy and 1 other person
You must log in or register to reply here.

You may also like...