AnteFrigus Ransomware

A new ransomware threat called AnteFrigus Ransomware has been spotted recently. What is interesting about this threat is that its authors are not propagating it via the usual channels like spam emails, bogus application updates or torrent trackers. Instead, the creators of the AnteFrigus Ransomware have opted to utilize the RIG Exploit Kit. This leads malware researchers to believe that the creators of the AnteFrigus Ransomware are rather high-end cybercriminals with advanced skills and experience.

Does not Target Data on the C: Partition

Another notable feature of the AnteFrigus Ransomware is that unlike most ransomware threats, which make sure to encrypt as much data as possible, this data-encrypting Trojan only goes after files, which are located on the D,: E,: F,: G,: H: and I: partitions. Having in mind that most regular users store a lot of their important data in the C: partition, this move looks rather strange. Based on the partitions targeted by the AnteFrigus Ransomware, it becomes clear that this ransomware threat also can compromise USB storage devices and shared network drives.

Has a Blacklist of File Types

If there are files present on the partitions targeted by the AnteFrigus Ransomware, this file-locking Trojan will make sure to apply its encryption algorithm and lock all the data present, such as audio files, images, documents, videos, archives, databases, etc. Interestingly enough, the AnteFrigus Ransomware also has a list of files that it will not encrypt – MSI, EXE and DLL. This shows that the AnteFrigus Ransomware does not want to tamper with files that may cause trouble with system services or software.

Encryption and the Ransom Note

The AnteFrigus Ransomware generates a unique victim ID for each user's system that it corrupts, which consists of various low case characters. The locked files will be marked with the victim ID generated as an additional extension at the end of the filename. The ransom note of the AnteFrigus Ransomware is called file '-readme.txt' and has two copies – one is dropped on the desktop, and another one is stored in the C:\Instraction folder. In the note, the attackers instruct the victim to use the Tor browser and go to their Tor-based portal where they can process the payment. The authors of the AnteFrigus Ransomware demand $2,000 in the shape of Bitcoin.

We advise you against cooperating with cyber crooks as there is no guarantee you will be given the decryption key they have promised. Instead, download and install an anti-malware tool and make sure to use it to remove the AnteFrigus Ransomware from your computer.