New Anubi Ransomware released

New Anubi Ransomware released

By | October 16th, 2017
No Comments on New Anubi Ransomware released

A new ransomware called Anubi was discovered by Malwarebytes security

researcher S!Ri that appends the .[].anubi extension to

encrypted files. While not much is known about how this ransomware is

distributed, as it is in the wild I thought I would provide a brief summary

of the ransomware.


When the Anubi ransomware infects a computer it will first set an autorun in the Windows Registry so that it starts automatically when the user logs in. It will then begin scanning the attached hard drives for  data files, including executables, and encrypt them.

When encrypting files it will append the .[email_address].anubi extension to the encrypted file’s name. For example, a file named test.jpg, would be named using the current variant as test.jpg.[].anubi.  During this process it will not encrypt files on unmapped network shares, but will on mapped network shares.

When it has finished encrypting a computer, a victim will find ransom notes named __READ_ME__.txt throughout the computer. These ransom notes will contain instructions to contact the ransomware developer at and send them the unique ID contained at the bottom of the note in order to get payment instructions.

The good thing about this ransomware is that it is incredibly slow. Due to this, there is a much greater chance that a victim will detect that the ransomware is running and terminate the process before it can finish encrypting the entire computer.


Nisheeth Bhakuni