Anonpop Ransomware

Posted by Max Lehmann on June 29, 2016

What is Anonpop Ransomware?

It his high time we discuss a new ransomware and a unique one at that. Anonpop Ransomware is not your average ransomware because it does not encrypt files but removes them. Moreover, it does not have the ability to bring them back after you have paid the money. Its developers are clearly not concerned with keeping their word, not even in the slightest. They want to trick you into thinking that they have mysteriously hidden them in a created partition, but that is untrue. Please continue reading if you want to find out more.testtest

What does Anonpop Ransomware do?

We find it rather strange that Anonpop Ransomware's developers chose this approach to make money. Our malware analysts think that this ransomware was made by incompetent cyber crook wannabes that do not have the skills or knowledge to produce a ransomware that utilizes an encryption algorithm, so they have resorted to deleting the files and claiming that they have been moved to a secret place. Well take a look at your hard drive’s current used and free space ration and you will see what has happened. If the files were moved somewhere, then this has to reflect on the used space counter, but no, after the infection your hard drive is freed of its contents.

Our malware researchers have tested this fake ransomware and identified the locations from which this infection erases all of the files. It removes files from a total of 22 locations. Some of the more notable locations include %USERPROFILE%\Downloads, %USERPROFILE%\Documents, %USERPROFILE%\Desktop, and %AppData%\Local\Temp. However, all is not lost because you can restore the files using Shadow Volume Copies or file restoration software.

At any rate, after it has deleted your files, Anonpop Ransomware will generate a JPG image that is set to be displayed on the desktop and prevent you from accessing the Start menu, because it covers the Taskbar as well. However, you can simultaneously press Windows+D keys to show the desktop. The cyber criminals demand that you pay 125 USD to get your files back, but that is a blatant lie because the files are already gone. Also, the ransom note states that the ransom will increase to 199 USD if you do not pay the 125 USD within 24 hours. Also, it claims to erase all files and the OS after 72 hours.

We also want to mention that this malicious application has been configured to shut down your computer shortly after you boot it up. It leaves you just enough time to read the ransom note. However, if you act swiftly, you can terminate the shutdown process by typing “shutdown /a” in the Command Prompt. To sum up, this fake ransomware does not encrypt files but erases them and demands that you pay to get them back. It prevents you from using the computer and shuts it down after several minutes. The good news is that you can bypass these obstructions and take back control of your PC.

Where does Anonpop Ransomware come from?

Our malware researchers think that Anonpop Ransomware is being disseminated with the help of email spam that is being sent to random email addresses around the globe. Its emails masquerade as complaints from the Office of The Attorney General which is just preposterous. The text of the email is well-written and gives the impression of legitimacy, but if you do not own a business, then you might find it suspicious. The email contains a ZIP file that should be named complaint376878.zip that contains a PDF file called complaint376878.pdf. Opening the PDF file will trigger a batch file that will use PowerShell commands to download other malicious files that will complete the infection and then spring into action.

How do I remove Anonpop Ransomware?

To get rid of this infection you must first free your computer from the script that forces it to shut down. Then you must locate the files and delete them. We have prepared a guide that contains file paths where this ransomware should drop its files, but we cannot guarantee that you will find them there. If you experience trouble locating the files, try downloading SpyHunter a program that can find and, if needed, remove this infection.

Override the shutdown sequence

  1. Simultaneously press Window+D keys to show the desktop.
  2. Simultaneously press Windows+R keys.
  3. Enter cmd in the dialog box and click OK.
  4. In the Command Prompt, type shutdown /a
  5. Then, press Windows+E keys.
  6. In the File Explorer’s address bar enter these locations.
    • %USERPROFILE%\Downloads\
    • %USERPROFILE%\Desktop\
    • %AppData%\Local\Temp\
  7. Find the ransomware and delete its files.
100% FREE spyware scan and
tested removal of Anonpop Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *