Anonymous Ransomware Removal Guide

Do you know what Anonymous Ransomware is?

Anonymous Ransomware is an infection that follows in the footsteps of Jigsaw Ransomware and CryptoHitman Ransomware. Our research team warns that there are many different variants in the Jigsaw family, and they are named after specific features that are unique to them. In the case of this ransomware, it was named after the group of hactivists who go by the name “Anonymous.” Although it is highly unlikely that this group is indeed associated with this ransomware, their official emblem is used in the window that is launched from the main executable. This window includes a message that informs you what is happening and what needs to be done. We can tell you right away that following the demands of cyber criminals is a bad idea. If you want to learn more, and you need information that will help you remove Anonymous Ransomware, please continue reading.Anonymous Ransomware Removal GuideAnonymous Ransomware screenshot
Scroll down for full removal instructions

Opening corrupted spam email attachments is one of the ways to let Anonymous Ransomware into your operating system. Once executed, this threat silently encrypts your files using the Advanced Encryption Standard (AES) method, and it will specifically target your personal files (e.g., PNG, AVI, JPEG, MP3, DOC, or PDF files). Notably, all of the affected files will gain the “.xyz” extension (e.g., document.pdf.xyz). Immediately after the encryption, a window will pop up with the previously mentioned Anonymous emblem. Quickly, the window will fill up with a message indicating that you need to follow specific instructions to have your files decrypted. The message states that some files will be selected and deleted every hour that passes by, and the countdown clock is included in this window as well. It is also suggested that any attempts to delete Anonymous Ransomware using antivirus software will result in the removal of files as well. Restarting the computer or closing down the message will also result in the removal of files. The goal of this warning is to push you into paying a ransom.

At the time of research, the ransom fee requested by Anonymous Ransomware was 250 USD, and victims were ordered to pay it in Bitcoins. The scary notification issued by this threat includes a Bitcoin address to which the payment must be made. Although it might seem as if paying the ransom is the only way out, our research team warns that this is a bad idea. First of all, there are absolutely no guarantees that cyber criminals will not just take your money without giving you the decrypter that you need. Do you think you can trust cyber criminals? If you choose to pay the ransom, do so at your own risk, and remember that it is risky. Smart users will research third-party decryption tools. Hopefully, it will not take long for you to find a tool that works before the malicious Anonymous Ransomware manages to cause any more damage. Of course, before you do anything, we suggest killing a process that is responsible for continuously eliminating your personal files. This process is called "Microsoft Defender.exe", and due to its misleading name you should check the location of this file before you kill it.

How to kill Microsoft Defender.exe

  1. Tap Ctrl+Shift+Esc keys simultaneously to launch Windows Task Manager.
  2. Click the Processes tab.
  3. Right-click the process named Microsoft Defender.exe, select Properties, and check if the location points to C:\Users\[your user name]\AppData\Roaming\MS\Defender.exe. Click Cancel.
  4. Select the process and click End process/end task. Click OK.

Once you kill the process associated with Anonymous Ransomware, you can move on to other tasks. If you are trying to decrypt your files, go ahead and use a reliable decrypter. If your files are backed up, and you only worry about the removal of the ransomware, figure out which option is best for you. We advise using automated removal software due to the risk of other threats being active. What is more, deleting Anonymous Ransomware manually can be challenging. If you are up for a challenge, use the guide below. Just keep in mind that all names could be unique in every case.

Remove Anonymous Ransomware from Windows

  1. Kill the Microsoft Defender.exe process (see instructions above).
  2. Simultaneously tap Win+R to launch RUN and enter regedit.exe into the dialog box.
  3. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
  4. Right-click and Delete the value named Defender.exe (check the value data first to see if the location of this file is C:\Users\[your user name]\AppData\Roaming\MS\Defender.exe)
  5. Simultaneously tap Win+E to launch Explorer.
  6. Enter %LOCALAPPDATA% (or %UserProfile%\Local Settings\Application Data\) into the address bar.
  7. Right-click and Delete the file named MS app_roaming.exe.
  8. Enter %APPDATA% into the address bar.
  9. Right-click and Delete the file named MS Defender.exe
  10. Right-click and Delete the folder named System32Work (check if it contains these files: Address.txt, dr, and EncryptedFileList.txt).
  11. Perform a full system scan using a trustworthy malware scanner.

In non-techie terms:

If you have become a victim of the malicious Anonymous Ransomware, your personal files are now in jeopardy. Hopefully, you will be able to decrypt them using third-party decryption tools (not necessary if you have used external/online file backup systems). In any case, removing this ransomware is crucial because its malicious files could virtually be used for any kind of task, including the downloading of more malicious files. The instructions above show how to erase this ransomware manually, but you should consider using automated removal software as well. Should you have any questions about the removal process, you can leave them in the comments section below.