Cyber Security Center

ANN ransomware removal


ANN ransomware, part of the Matrix ransomware family, is file-encrypting malware that encrypts files, renames them and adds the .ANN file extension. When it’s done encrypting, it drops the #ANN_README#.rtf ransom note in all folders containing encrypted files.

 

Screenshot (71)

ANN ransomware is malware that encrypts files and demands money for their decryption. It’s part of the Matrix malware family, and uses strong encryption algorithms to encrypt files. It renames affected files to [AskHelp@protonmail.com].[random string of characters].ANN and drops #ANN_README#.rtf ransom note which explains that to recover files users need to purchase the decryption tool. The price is not mentioned in the ransom note and would be revealed if victims were to send an email to the provided email addresses askhelp@protonmail.com, askhelp@tutanota.com, and askhelp@india.com. The decryptor price will likely be between $100 and $1000, as that is how much ransomware usually request from individual users.

Whatever the price for the decryptor is, it is not recommended to pay it because a decryptor will not necessarily be sent. Users should keep in mind that they are dealing with cyber criminals who will not necessarily feel obligated to keep their end of the bargain. Even if victims do receive a decryptor, it won’t necessarily work.

Unfortunately, currently the only free way to recover files is via backup. If users had backed up files prior to infection, they can access the backup as soon as they remove ANN ransomware from their computers. For users who have no backup, an alternative is to back up encrypted files and wait for malware researchers to release a free decryption tool. However, users should be very careful about where they download decryption tools from. NoMoreRansom and Emsisoft often release decryption tools in order to help victims recover files for free.

ANN ransomware encrypts important files

Like is typical for ransomware, ANN malware targets files like photos, videos, documents, etc., as they are what users usually hold most important. The ransomware renames all encrypted files to [AskHelp@protonmail.com].[random string of characters].ANN, and once the encryption process is complete drops a ransom note #ANN_README#.rtf. The note informs victims that files have been encrypted and how to recover them.

The cyber criminals behind this ransomware claim that they will help restore files if victims are willing to pay a ransom. As mentioned above, the specific ransom sum is not mentioned, and victims would be told how much they need to pay if they send an email with their personal ID to the three email addresses shown in the ransom note. The cyber criminals behind this ransom offer to decrypt 3 files for free, provided they don’t contain valuable information. This is standard practice that is supposed to prove to victims that they can decrypt files. According to the note, if users don’t pay within 7 days, the decryption key would be deleted.

Here is the full ransom note:

HOW TO RECOVER YOUR FILES INSTRUCTION
ATENTION!!!
We are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED
by our automatic software. It became possible because of bad server security.
ATENTION!!!
Please don’t worry, we can help you to RESTORE your server to original
state and decrypt all your files quickly and safely!

INFORMATION!!!
Files are not broken!!!
Files were encrypted with AES-128+RSA-2048 crypto algorithms.
There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!
* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!
* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.

HOW TO RECOVER FILES???
Please write us to the e-mail (write on English or use professional translator):
AskHelp@protonmail.com
AskHelp@tutanota.com
AskHelp@india.com
You have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!

In subject line write your personal ID:
2DA52A597276FC47
We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files.
* Please note that files must not contain any valuable information and their total size must be less than 5Mb.

OUR ADVICE!!!
Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.

We will definitely reach an agreement 😉 !!!

ALTERNATIVE COMMUNICATION

If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours please sеnd us Bitmеssаgеs frоm а wеb brоwsеr thrоugh thе wеbpаgе hxxps://bitmsg.me. Bеlоw is а tutоriаl оn hоw tо sеnd bitmеssаgе viа wеb brоwsеr:
1. Оpеn in yоur brоwsеr thе link hxxps://bitmsg.me/users/sign_up аnd mаkе thе rеgistrаtiоn bу еntеring nаmе еmаil аnd pаsswоrd.
2. Уоu must cоnfirm thе rеgistrаtiоn, rеturn tо уоur еmаil аnd fоllоw thе instructiоns thаt wеrе sеnt tо уоu.
3. Rеturn tо sitе аnd сlick “Lоgin” lаbеl оr usе link hxxps://bitmsg.me/users/sign_in, еntеr уоur еmаil аnd pаsswоrd аnd click thе “Sign in” buttоn.
4. Сlick thе “Сrеаtе Rаndоm аddrеss” buttоn.
5. Сlick thе “Nеw mаssаgе” buttоn.
6. Sеnding mеssаgе:
Tо: Еntеr аddrеss: BM-2cUPmiEDYswzWC3ZmbtybDJeUNHqSpERL1
Subjесt: Еntеr уоur ID: –
Mеssаgе: Dеscribе whаt уоu think nеcеssаrу.
Сlick thе “Sеnd mеssаgе” buttоn.

As we already mentioned, paying the ransom is not recommended. If users have backed up files prior to encryption, they can start file recovery once the ransomware is no longer present.

How to avoid infecting a computer with ransomware?

The majority of malware is distributed via methods such as spam emails and torrents.

One of the favored malware distribution campaigns is spam email. Cyber criminals purchase email addresses from hacker forums, attach malware to an email, create a text that would encourage users to open the attached file, and send it to those acquired email addresses. Fortunately, those emails are more or less obvious, so as long as users are paying attention they should be able to spot a malicious email. They’re often full of grammar/spelling mistakes and are sent from random email addresses. Users are suggested to always scan unsolicited email attachments with anti-malware software or VirusTotal.

Users are also discouraged from using torrents and other pirating sites as they are often full of malware. Furthermore, to prevent malware from using vulnerabilities to get in, users should install updates on a regular basis.

ANN ransomware removal

Users are always recommended to use anti-malware software when it comes ransomware because it is a complex malware infection. Once users delete ANN ransomware from their computers, they can access backup. However, users should make sure they fully remove ANN ransomware as otherwise, accessing backup could lead to those files becoming encrypted as well.

ANN ransomware is detected as:

  • A Variant Of Win32/Filecoder.LockedFile.G by ESET
  • HEUR:Trojan-Ransom.Win32.Agent.gen by Kaspersky
  • Ransom:Win32/LockBit.PA!MTB by Microsoft
  • GenericRXJB-TB!EBC583D1CE11 by McAfee
  • Generic.Ransom.Matrix.17CFCB4B by BitDefender