WatchPoint Security Blog

Annabelle Ransomware Creating Horror for Infected Computers

Written by Jordan Kadlec | February 23, 2018

Picture credit: pulsetheworld.com

A never before seen type of ransomware has been making headlines in the cybersecurity world this week. Named after the popular horror movie franchise, “Annabelle” it is said to throw everything but the kitchen sink at users who have become infected. With all of the strands that we've seen, this has to be one of the strangest. 

Annabelle Ransomware

Most developers of ransomware create the malware to make a profit hence, ‘ransom.’ However, we sometimes see developers create ransomware just to show off their prolific skills by adding variations. Such is the case with Annabelle. Along with the typical characteristic of ransomware (encrypting a user’s files), the developer of Annabelle added variations including terminating security programs, disabling Windows Defender, and turning off any firewall that attempts to stop the program. Furthermore, the ransomware attempts to spread via USB drives, making it impossible to run a variety of programs.

Cybersecurity researchers at MalwareHunterTeam were able to extract some source code to get a better look at the process Annabelle goes through when infecting a machine. When the ransomware first infects a machine, it sets itself up to automatically run when logging into Windows. Once logged into Windows, Annabelle configures itself to terminate programs such as Internet Explorer, Chrome, Opera, and any defense software the computer may be running. From there, the ransomware will attempt to spread itself using autorun.inf files which is fairly useless when users are running a newer version of Windows that do not support an autoplay feature.

When all of this is completed, Annabelle starts the ransomware process where it encrypts files and appends .ANNABELLE to the end of encrypted files. If successful, the ransomware will reboot the computer, and upon login, the ransom note (shown above) will appear. As we can see, the ransom is set at 0.1 Bitcoin or roughly $1,000 USD.

As a finishing touch, the developer decided to add a feature that runs a program intended to replace the master boot record of the infected computer, so it shows a ‘props’ screen anytime the computer is rebooted.

The Good News

While this can certainly seem like a nightmare for users who become infected, the good news is the ransomware is easily decryptable. Annabelle is based off of Stupid Ransomware which uses a static key and is decryptable by using StupidDecrytor developed by Michael Gillespie. If you have been infected by Annabelle, click here to learn how to use StupidDecryptor to unlock your files and regain access to your computer. If you feel like you've been infected by another type of ransomware, we can walk you through what to do.