Anubi targets Windows OS and its distribution method is currently unknown. It maintains persistence in an infected system by setting an autorun in the Windows Registry to start automatically upon user login. It appends .anubi to the names of encrypted files and drops ransom notes named __READ_ME__.txt. The email associated with this variant is firstname.lastname@example.org. According to researchers, this variant is slow to encrypt infected systems so victims may be able to detect and stop the process before too much damage is done.
- Bleeping Computer provides more information about Anubi here.
- The NJCCIC is not currently aware of any free decryption tools available for Anubi.