Remove Anubi Ransomware

Anubi ransomware, also known as Anubis, is a dangerous strain of ransomware similar to Louis, Innok, and BlackPanther. It encrypts victims’ files and appends the .Anubi extension, rendering them inaccessible. Additionally, the ransomware alters the desktop wallpaper and displays a ransom note named “Anubi_Help.txt”, which demands payment in exchange for decryption.

Summary of Anubi Ransomware

Attribute	Details
Name	Anubi Ransomware
Threat Type	Ransomware, Crypto Virus, File Locker
Encrypted File Extension	.Anubi
Ransom Note File	Anubi_Help.txt
Contact Emails	anubis@mailum.com, anubis20@firemail.de
Detection Names	Avast (Win32:TrojanX-gen [Trj]), ESET-NOD32 (Win32/Filecoder.OOO), Kaspersky (HEUR:Trojan-Ransom.Win32.Generic), Microsoft (Ransom:Win32/CylanceLoader.IJ!MTB)
Symptoms of Infection	Inaccessible files with .Anubi extension, ransom note displayed on desktop and pre-login screen, modified wallpaper
Damage	Files become permanently encrypted without backup, financial loss from ransom payment, risk of additional malware infections
Distribution Methods	Malicious email attachments, tech support scams, pirated software, malicious ads, compromised websites
Danger Level	High

How Anubi Ransomware Works

Once Anubi infects a system, it modifies file names by appending .Anubi to encrypted files. For instance, “1.jpg” becomes “1.jpg.Anubi.” It then delivers a ransom note both on the desktop and the pre-login screen, urging victims to contact the attackers via anubis@mailum.com or anubis20@firemail.de for file recovery. The ransom note warns victims against modifying encrypted files and claims that third-party decryption services are scams.

Anubi Ransom Note Text

If you want your files back, contact us at the email addresses shown below:
Anubis@mailum.com
Anubis20@firemail.de
# In subject line please write your personal ID:  -

Check Your Spam Folder: After sending your emails, please check your spam/junk folder regularly to ensure you do not miss our response.

No Response After 24 Hours: If you do not receive a reply from us within 24 hours,
please create a new, valid email address (e.g., from Gmail, Outlook, etc.), and send your message again using the new email address.

some notes:
1-although illegal and bad but this is business,you are our client after infection and we will treat you respectfully like a client
2-do not play with encrypted file, take a backup if you want to waste some time playing with them
3- if you take a random middle man from internet he may take you money and not pay us and disappear or lie to you
4-police can't help you , we are experienced hackers and we don't leave footprints behind ,
even if we did police won’t risk their million dollar worth zero day exploits for catching us,
instead what they do get sure of is you never pay us and you suffer loss of your data
5-if some of your files don't have our extension but do not open, they are encrypted, all other files and will decrypt normally,
they just have not been renamed to get our extension
6-some people on YouTube claim to decrypt our encrypted files (they even make fake videos), all they do is message us,
claim to be the real client (you) get free test files from us and show them as proof to you (if you message us we will tell you what the file was)
get money from you, but they don’t pay us and will not decrypt the rest of the files.

Manual Ransomware Removal Guide

Warning: Manual removal is complex and risky. If not done correctly, it can lead to data loss or incomplete removal of ransomware. Only follow this method if you are an advanced user. If unsure, proceed with Method 2 (SpyHunter Removal Guide).

Step 1: Disconnect from the Internet

1. Unplug your Ethernet cable or disconnect Wi-Fi immediately to prevent further communication with the ransomware’s command and control (C2) servers.

Step 2: Boot into Safe Mode

For Windows Users:

1. For Windows 10, 11:
   • Press Windows + R, type msconfig, and hit Enter.
   • Go to the Boot tab.
   • Check Safe boot and select Network.
   • Click Apply and OK, then restart your PC.
2. For Windows 7, 8:
   • Restart your PC and press F8 repeatedly before Windows loads.
   • Select Safe Mode with Networking and press Enter.

For Mac Users:

1. Restart your Mac and immediately press and hold the Shift key.
2. Release the key once you see the Apple logo.
3. Your Mac will start in Safe Mode.

Step 3: Locate and Terminate Malicious Processes

For Windows Users:

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Look for suspicious processes (e.g., unknown names, high CPU usage, or random letters).
3. Right-click on the process and select End Task.

For Mac Users:

1. Open Activity Monitor (Finder > Applications > Utilities > Activity Monitor).
2. Look for unusual processes.
3. Select the process and click Force Quit.

Step 4: Delete Malicious Files

For Windows Users:

1. Press Windows + R, type %temp%, and hit Enter.
2. Delete all files in the Temp folder.
3. Navigate to:
   • C:\Users\[Your Username]\AppData\Roaming
   • C:\Users\[Your Username]\AppData\Local
   • C:\Windows\System32
4. Look for suspicious files related to the ransomware (random file names, recently modified) and delete them.

For Mac Users:

1. Open Finder and go to Go > Go to Folder.
2. Type ~/Library/Application Support and delete suspicious folders.
3. Navigate to ~/Library/LaunchAgents and remove unknown .plist files.

Step 5: Remove Ransomware from Registry or System Settings

For Windows Users:

Warning: Incorrect changes in the Registry Editor can damage your system. Proceed with caution.

1. Press Windows + R, type regedit, and hit Enter.
2. Navigate to:
   • HKEY_CURRENT_USER\Software
   • HKEY_LOCAL_MACHINE\Software
3. Look for unfamiliar folders with random characters or ransomware-related names.
4. Right-click and select Delete.

For Mac Users:

1. Go to System Preferences > Users & Groups.
2. Click on Login Items and remove any suspicious startup items.
3. Navigate to ~/Library/Preferences and remove malicious .plist files.

Step 6: Restore System Using System Restore (Windows) or Time Machine (Mac)

For Windows Users:

1. Press Windows + R, type rstrui, and hit Enter.
2. Click Next, choose a restore point before the infection, and follow the prompts to restore your system.

For Mac Users:

1. Restart your Mac and hold Command + R to enter macOS Utilities.
2. Select Restore from Time Machine Backup.
3. Choose a backup prior to the ransomware infection and restore your system.

Step 7: Use a Decryption Tool (If Available)

• Visit No More Ransom (www.nomoreransom.org) and check if a decryption tool is available for your ransomware variant.

Step 8: Recover Files Using Backup

• If you have backups on an external drive or cloud storage, restore your files.

---

Automatic Ransomware Removal Using SpyHunter

If manual removal seems too risky or complicated, using a reliable anti-malware tool like SpyHunter is the best alternative.

Step 1: Download SpyHunter

Download SpyHunter from the official link: Download SpyHunter

Or follow the official installation instructions here:
SpyHunter Download Instructions

Step 2: Install SpyHunter

1. Open the downloaded file (SpyHunter-Installer.exe).
2. Follow the on-screen prompts to install the program.
3. Once installed, launch SpyHunter.

Step 3: Perform a Full System Scan

1. Click on Start Scan Now.
2. SpyHunter will scan for ransomware and other malware.
3. Wait for the scan to complete.

Step 4: Remove Detected Threats

1. After the scan, SpyHunter will list all detected threats.
2. Click Fix Threats to remove the ransomware.

Step 5: Use SpyHunter’s Malware HelpDesk (If Needed)

If you are dealing with a stubborn ransomware variant, SpyHunter’s Malware HelpDesk provides custom fixes to remove advanced threats.

Step 6: Restore Your Files

If your files are encrypted:

• Try No More Ransom (www.nomoreransom.org) for decryption tools.
• Restore from cloud storage or external backups.

---

Preventing Future Ransomware Attacks

• Keep backups on an external hard drive or cloud storage.
• Use SpyHunter to detect threats before they infect your system.
• Enable Windows Defender or a trusted antivirus program.
• Avoid suspicious emails, attachments, and links.
• Update Windows, macOS & software regularly.

Additional Information

Recovering files encrypted by Anubi ransomware without the decryption key is nearly impossible. Even if victims pay the ransom, there is no guarantee that cybercriminals will provide a working decryption tool. The best protection against ransomware is to maintain regular backups and ensure cybersecurity best practices are followed.

If you are still having trouble, consider contacting virtual technical support.