anubis

[Content by Gemini 2.5]

Ransomware Report: Anubis (.ANUBIS File Extension)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Encrypted files receive the .ANUBIS extension appended after the original file name.
    Example: Report_2024.xlsxReport_2024.xlsx.ANUBIS
  • Renaming Convention: The ransomware preserves the original file name and original extension, then tacks on “.ANUBIS”—no prefix ID string or random characters are added. Directory listings therefore keep filenames human-readable, but every item shows the extra extension.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First large-scale campaigns observed mid-2016 (June–July 2016). A smaller 2017 wave followed during the autumn cyber-crime season, then activity diminished. Most samples cluster in the 2016 timeframe; however the modus operandi still appears in copy-cat or rebranded operators, so treat any .ANUBIS incident as contemporary.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Malicious email attachments (Office documents with VBA-macros → PowerShell downloaders).
  2. Rig & Sundown exploit-kit redirects on compromised legitimate websites (Flash & browser exploits).
  3. Remote Desktop Protocol (RDP) brute-force → manual drop of Anubis payload once an attacker pivots inside.
  4. Bundled in cracked software installers (warez forums, pirated games).
  5. Peer-to-peer droppers (other botnets push Anubis as a payload2).

Remediation & Recovery Strategies

1. Prevention

Disable Office macros enterprise-wide via Group Policy; enforce least-privilege execution with SRP (Software Restriction Policy) or group-policy preferential trust.
Patch Flash, Java, Silverlight, and all browsers through WSUS/Intune.
Disable or restrict RDP access from the Internet; implement Network Level Authentication (NLA) and 2FA for any exposed service.
Deploy EDR capable of behavioral detection (PowerShell launching .EXE from %TEMP% is a common Anubis marker).
Offline/Immutable backups: ensure at least one copy is air-gapped daily; test restores quarterly.

2. Removal

Step-by-step cleanup procedure (non-boot drive):

  1. Power-off the infected host immediately; pull network cable/Wi-Fi.
  2. Boot from a known-clean USB or live-Linux; mount the disk read-only to copy any remaining unencrypted data.
  3. Run offline scan using updated Malwarebytes, Kaspersky Rescue Disk, or Bitdefender Rescue.
  4. Locate & delete the Anubis dropper (common locations: C:\Users\*\AppData\Roaming\winxsrv.exe, C:\ProgramData\svchost.exe, random GUID folders).
  5. Remove scheduled task named “WinxServer” or similar in Task Scheduler → Task Scheduler Library (used for persistence).
  6. Empty shadow copies (before re-enabling): vssadmin delete shadows /all (Anubis usually removes them anyway).
  7. Reboot into Windows Safe Mode with Networking; run a second scan with Windows Defender Offline or SentinelOne.
  8. After confirmation of removal, restore files from backups. NEVER decrypt on top of secondary infection.

3. File Decryption & Recovery

  • Recovery Feasibility: YES – Anubis uses a flawed cryptography implementation (modified AES-256 in CBC mode with embedded keys).
  • Tools:
    Kaspersky RakhniDecryptor 1.21.1+ (decrypts .ANUBIS variants up to October 2016).
    Avast Decryption Tool for Anubis (great success on 2016/2017 builds; can be scripted via `avastdecrypt.exe /path /verify).
    Decryption Tips: Supply an original file pair (encrypted + clean); the tools will brute-force the embedded 32-byte key. Make copies first—process is I/O heavy.
  • Essential Patches:
    • Microsoft MS16-101 (credential delegation spoofing).
    • Qualys/Industry best-practice:** Disable unnecessary browser plugins and set Adobe/Oracle products to auto-update.

4. Other Critical Information

  • Additional Precautions:
    • Anubis leaves %AppData%\DecryptionInfo.txt – a ransom note with a hard-coded BitCoin wallet (rarely re-used after campaigns).
    • Deletes shadow copies and disables WinRE partitions to hinder recovery—count on volume-level backups instead.
    • Uses Russian language strings in resource files (“Anубис” in debug info) – a quick YARA rule targeting these strings can assist retro-hunting.

  • Broader Impact:
    • Though not as massive as WannaCry or other worms, Anubis filled the gap left by TeslaCrypt shutdown.
    • Target demographic concentrated on small-to-medium businesses in Eastern Europe, but English-language phishing emails prove worldwide spread.
    • Historical note: Frequently cited by EUROPOL as bundling with “Simda” botnet infrastructure—understanding Anubis TTPs assists threat hunters tracing newer families that reuse its key-embedding flaw technique.