Anonpop Ransomware Removal Guide

Do you know what Anonpop Ransomware is?

From the outset, we want to inform you that Anonpop Ransomware is a fake ransomware that will not give you your files back no matter what you do because it removes them from your computer permanently. Yet its developers have the audacity to demand that you pay a ransom for a non-existent decryption key/tool. There are many things to discuss this infection, so we invite you to read this full article that will at the least help you delete it so that you could use your computer because this ransomware will not go away that easy.

This ransomware appears to have come out of nowhere and at present we do not know how it is disseminated. However, we have a theory that we want to share with you. Without going into too much detail, we think that this infection originated in Russia or at least somewhere in Eastern Europe, why? Because the cyber criminals want you to contact them via the email address websupport16@yandex.com. Note the email service provider Yandex. Yandex is the Google of Russia, and it has its search engine and email service provider, among other services. Ransomware produced elsewhere rarely use Russia-based services.

While we are on the subject of email services, we want to point out that Anonpop Ransomware is most likely distributed using email spam. Our researchers are of the opinion that this malware’s developers have set up a dedicated server that send email spam to random email addresses. The rationale for selecting a particular email address is unknown because this ransomware is distributed on an international cross-continental level. All of the information provided by this ransomware is in the English language which affirms the idea that it is meant to be disseminated internationally.Anonpop Ransomware Removal GuideAnonpop Ransomware screenshot
Scroll down for full removal instructions

Based on the experience with other ransomware, our malware analysts think that the emails this infection comes in are disguised as genuine emails sent from established international companies, such as banks, shipping companies, online shopping websites, and so on. The emails should contain attachments such as Microsoft Word documents that feature distorted text, and the email asks you to enable macros to view the contents of the document. Once you enable macros, the script in the document downloads and drops Anonpop Ransomware’s files. Nevertheless, the developers might opt for a simpler approach and just put the ransomware in a file archive that infects the PC once opened.

If your computer becomes infected with Anonpop Ransomware, then it will render a window that will take up all of the screen space on the desktop effectively denying you access to everything on it. However, you can easily bypass this intentional block by right-clicking on the Taskbar and clicking Show the desktop or pressing the Windows+D keys. The created window displays a ransom note which claims that your files have been encrypted and that you have to pay 125 USD within 24 hours and 199 USD after 24 hours if you fail to pay within the first 24 hours. The cyber criminals threaten with deleting the files if you do not pay but, unfortunately, it is too late. The ransomware does not encrypt the files but deletes all of them, and you cannot do anything about that. So you should not pay the ransom because you will not get your files back. Furthermore, this infection has been configured to shut down your PC after one or two minutes after booting up, but you can stop this process with the Command Prompt by typing “shutdown /a” (guide below.) After terminating this script, you can initiate your search for this malware to eradicate it.

We have not seen a program quite like this one before. It looks as if it is a genuine ransomware-type infection, but it does not encrypt any files, but erases them. Thus, you are not able to get them back if you pay the hefty ransom. Please consult the instructions below and remove this infection so that you could use your PC. Note that its executable is named randomly, and it can be dropped anywhere on your PC. We have included a list of the most likely places where you can find it, but if you do not, then we recommend using our recommended anti-malware scanner to find it for you.

Override the shutdown sequence

  1. Press Windows+R keys.
  2. Type cmd in the dialog box and click OK.
  3. In the Command Prompt, type shutdown /a

Delete the ransomware

  1. Press Windows+E keys.
  2. In the File Explorer’s address bar enter these locations.
    • %USERPROFILE%\Downloads\
    • %USERPROFILE%\Desktop\
    • %AppData%\Local\Temp\
  3. Locate the infection’s files and delete them.
  4. Empty the Recycle Bin.

Note that the location where the malicious files are stored may differ, so if you cannot find them, please use our featured anti-malware tool to find them.

In non-techie terms:

Anonpop Ransomware is oddly a fake ransomware because it does not encrypt files o demand a ransom but deletes them and still wants you to pay a ransom to get them back. Therefore, we encourage you not to pay the ransom because you would only be throwing your money away. Use our guide or our recommended anti-malware program SpyHunter to eradicate this cunning infection.