A new ransomware called Anubi was discovered by Malwarebytes security researcher S!Ri that appends the .[anubi@cock.li].anubi extension to encrypted files. While not much is known about how this ransomware is distributed, as it is in the wild I thought I would provide a brief summary of the ransomware.

When the Anubi ransomware infects a computer it will first set an autorun in the Windows Registry so that it starts automatically when the user logs in. It will then begin scanning the attached hard drives for  data files, including executables, and encrypt them. 

When encrypting files it will append the .[email_address].anubi extension to the encrypted file's name. For example, a file named test.jpg, would be named using the current variant as test.jpg.[anubi@cock.li].anubi.  During this process it will not encrypt files on unmapped network shares, but will on mapped network shares.

A folder of encrypted files can be seen below.

Encrypted Folder of Anubi Files

When it has finished encrypting a computer, a victim will find ransom notes named __READ_ME__.txt throughout the computer. These ransom notes will contain instructions to contact the ransomware developer at anubi@cock.li and send them the unique ID contained at the bottom of the note in order to get payment instructions.

Anubi Ransom Note

The good thing about this ransomware is that it is incredibly slow. Due to this, there is a much greater chance that a victim will detect that the ransomware is running and terminate the process before it can finish encrypting the entire computer.

If any further information becomes available, I will be sure to update this article.[出自:jiwo.org]
 

IOCs

Anubi Hash:

SHA256: 3a047c557acde9adeb144508b367232a1043dd1e9c2230f8091a0323bf99ee7c

Anubi Files:

__READ_ME__.txt

Anubi Registry Entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Acrobat Optimizer x86	"[ransomware_executable].exe" -autorun

Anubi Network Traffic:

staticpane.dns.army/rec.php?msg=

Anubi Ransom Note:

[WHAT HAPPENED] 
Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail: anubi@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.  

[FREE DECRYPTION AS GUARANTEE] 
Before paying you can send to us up to 3 files for free decryption. 
Please note that files must NOT contain valuable information 
and their total size must be less than 1Mb  

[HOW TO OBTAIN BITCOINS]
The easiest way to buy bitcoin is LocalBitcoins site. 
You have to register, click Buy bitcoins and select the seller 
by payment method and price 

https://localbitcoins.com/buy_bitcoins

https://paxful.com/buy-bitcoin

https://bitcointalk.org/  

[ATTENTION] 
Do not rename encrypted files 
Do not try to decrypt your data using third party software, it may cause permanent data loss 
If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files  

Your ID: 

[id]

Anubi Email Addresses:

anubi@cock.li