AnonPop is malware designed to look like ransomware, claiming to encrypt files and demanding a ransom payment from the victim. However, AnonPop deletes files rather than encrypting them and then displays a JPG image of the ransom note and payment instructions. It targets Windows OS and is distributed via phishing emails masquerading as complaints from the Office of the Attorney General. These phishing emails contain ZIP files labeled complaint376878.zip that deliver a malicious batch file designed to look like a PDF file. When launched, the batch file abuses PowerShell commands to install additional malware, some of which is designed to maintain persistence on the infected machine and cause a system shutdown. AnonPop deletes files from user profile folders, program files folders, the temp folder, as well as files saved to the desktop. It will also delete files from mapped drives. Fortunately, it does not overwrite the deleted files so data recovery is possible by either restoring Shadow Volume Copies or using a data recovery tool. AnonPop demands a ransom payment of $125 USD within the first 24 hours, $199 USD after 24 hours, and threatens to delete all files and the operating system after 72 hours.
- Bleeping Computer provides more information about AnonPop, including removal and file restoration instructions, here.