Tweet
The Anonpop Fake Ransomware is a malware program discovered by @JAMESWT_MHT that pretends to be a ransomware that encrypts your files and demands a ransom of $125 to decrypt them. In reality, though, this program does not encrypt any of your files and deletes them instead. Thankfully, these scumbags do not securely delete the files and you can use Shadow Volume Copies or programs like Recuva or PhotoRec to recover your files.
Remove the Fake AnonPop Ransomware (supportfile@yandex.com)
The Anonpop Fake Ransomware is a malware program discovered by @JAMESWT_MHT that pretends to be a ransomware that encrypts your files and demands a ransom of $125 to decrypt them. In reality, though, this program does not encrypt any of your files and deletes them instead. Thankfully, these scumbags do not securely delete the files and you can use Shadow Volume Copies or programs like Recuva or PhotoRec to recover your files.
When installed, Anonpop will delete every file found in the following folders and drives
%USERPROFILE%\Documents\
%USERPROFILE%\Downloads\
%USERPROFILE%\Pictures\
%USERPROFILE%\Music\
%USERPROFILE%\Videos\
%USERPROFILE%\Contacts\
%USERPROFILE%\Favorites\
%USERPROFILE%\Searches\
C:\Program Files\Google\
C:\Program Files\Windows Defender\
C:\Program Files\Mozilla Firefox\
C:\Program Files\Internet Explorer\
C:\Program Files (x86)\Google\
C:\Program Files (x86)\Internet Explorer\
C:\Program Files (x86)\Mozilla Firefox\
%AppData%\Local\Temp\
%USERPROFILE%\Desktop\
D:\
E:\
F:\
H:\
G:\
I:
It will then download a JPG image and display it over the Windows desktop so that you are unable to access your normal programs, start menu, or files. This JPG image is a ransom note, shown below, that states that your computer and files are encrypted and that you must pay $125 within 24 hours or $199 after 24 hours to get your files back. They also state that after 72 hours the files will be deleted. They then tell you to contact supportfiles@yandex.com once you have made payment.
In reality, if you see this message, all of the files in the above folder have already been deleted.
Another malware executable will then be downloaded that is set to run every time you log into Windows. This executable, will display a similar message as the ransom note above and then automatically begin a shutdown of Windows. That means that every time someone logs in, they would just be logged off again in 60 seconds.
The shutdown alert can be seen below.
The good news is that the developer of this program did not securely delete your files and you can use a tool like Recuva or PhotoRec to recover your files. Before using a file recovery tool, I suggest you try to recovery your files from Shadow Volume Copies and then use recovery tools for any files that cannot be recovered.
For information on how to recover files from Shadow Volume Copies, you can use this tutorial: How to recover files and folders using Shadow Volume Copies.
How did the Anonpop Fake Ransomware get on my computer?
It is not currently known how the Anonpop ransomware is being distributed, but based on the name of the initial file, it appears to be spread via emails that contain links to the main installer. When a user clicks on this link, a zip file called complaint376878.zip is downloaded, which contains a batch file that pretends to be a PDF file. If a user double-clicks on the PDF file, the batch will use PowerShell commands to download other files that install the rest of the malware.
As you can see, the person who created this malware is a real low life who is trying to steal your money even after they have deleted your files. This guide will walk you through removing the anonpop crapware from your computer. It will not, though, explain how to use Recuva or other file recovery tools to get your files back. For those who need help with that, you should ask in ourĀ*Ransomware Tech Support and Help Forum.
Array
View Associated Fake AnonPop Ransomware Files %AppData%\photosr.exeFile Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\\AppData\Roaming.
View Associated Fake AnonPop Ransomware Registry Information HKCU\Software\Microsoft\Windows\CurrentVersion\Run\anonpop %AppData%\photosr.exe
Click here to view the article.
Remove the Fake AnonPop Ransomware (supportfile@yandex.com)
- Mon, 27 Jun 2016 23:04:11 EDT
- Read 412 times
The Anonpop Fake Ransomware is a malware program discovered by @JAMESWT_MHT that pretends to be a ransomware that encrypts your files and demands a ransom of $125 to decrypt them. In reality, though, this program does not encrypt any of your files and deletes them instead. Thankfully, these scumbags do not securely delete the files and you can use Shadow Volume Copies or programs like Recuva or PhotoRec to recover your files.
When installed, Anonpop will delete every file found in the following folders and drives
%USERPROFILE%\Documents\
%USERPROFILE%\Downloads\
%USERPROFILE%\Pictures\
%USERPROFILE%\Music\
%USERPROFILE%\Videos\
%USERPROFILE%\Contacts\
%USERPROFILE%\Favorites\
%USERPROFILE%\Searches\
C:\Program Files\Google\
C:\Program Files\Windows Defender\
C:\Program Files\Mozilla Firefox\
C:\Program Files\Internet Explorer\
C:\Program Files (x86)\Google\
C:\Program Files (x86)\Internet Explorer\
C:\Program Files (x86)\Mozilla Firefox\
%AppData%\Local\Temp\
%USERPROFILE%\Desktop\
D:\
E:\
F:\
H:\
G:\
I:
It will then download a JPG image and display it over the Windows desktop so that you are unable to access your normal programs, start menu, or files. This JPG image is a ransom note, shown below, that states that your computer and files are encrypted and that you must pay $125 within 24 hours or $199 after 24 hours to get your files back. They also state that after 72 hours the files will be deleted. They then tell you to contact supportfiles@yandex.com once you have made payment.
In reality, if you see this message, all of the files in the above folder have already been deleted.
The shutdown alert can be seen below.
For information on how to recover files from Shadow Volume Copies, you can use this tutorial: How to recover files and folders using Shadow Volume Copies.
How did the Anonpop Fake Ransomware get on my computer?
It is not currently known how the Anonpop ransomware is being distributed, but based on the name of the initial file, it appears to be spread via emails that contain links to the main installer. When a user clicks on this link, a zip file called complaint376878.zip is downloaded, which contains a batch file that pretends to be a PDF file. If a user double-clicks on the PDF file, the batch will use PowerShell commands to download other files that install the rest of the malware.
As you can see, the person who created this malware is a real low life who is trying to steal your money even after they have deleted your files. This guide will walk you through removing the anonpop crapware from your computer. It will not, though, explain how to use Recuva or other file recovery tools to get your files back. For those who need help with that, you should ask in ourĀ*Ransomware Tech Support and Help Forum.
Array
View Associated Fake AnonPop Ransomware Files %AppData%\photosr.exeFile Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\\AppData\Roaming.
View Associated Fake AnonPop Ransomware Registry Information HKCU\Software\Microsoft\Windows\CurrentVersion\Run\anonpop %AppData%\photosr.exe
Click here to view the article.