Discovered by security researcher Bart, Annabelle Ransomware includes everything but the kitchen sink when it comes to screwing up a computer. This includes terminating numerous security programs, disabling Windows Defender, turning off the firewall, encrypting your files, trying to spread through USB drives, making it so you can’t run a variety of programs, and then to sweeten the pot, it overwrites the master boot record of the infected computer with a silly boot loader.
Thankfully, MalwareHunterTeam was able to extract the source code from the obfuscated executable so that we can get a better glimpse as to what this program is doing.
When first run, Annabelle will configure itself to start automatically when you login to Windows. It then terminates a variety of programs such as Process Hacker, Process Explorer, Msconfig, Task Manager, Chrome, and more.
It then configures Image File Execution registry entries to make it so you cannot launch a variety of programs such as the ones listed above and others such as Notepad++, Notepad, Internet Explorer, Chrome, Opera, bcdedit, and many more.
The ransomware will then try to spread itself using autorun.inf files. This method is fairly useless when it comes to newer versions of Windows that do not support an autoplay feature.
Well all this is done, it will start encrypting the computer with a static key. When encrypting files it will append the .ANNABELLE extension to the encrypted file’s name.
It will then reboot the computer and when the user logs in, it will display the lock screen shown at the top of this article. The lock screen has a credits button that when clicked shows the below screen that states a developer named iCoreX0812 made the program and a way to contact them on Discord.
As a finishing touch, the developer decided to also run a program that replaces the master boot record of the infected computer so that it shows a “props” screen when the computer restarts
Overall, this ransomware was developer to be a PITA and to show off the developer’s skills rather than to actually generate ransom payments.
The good news is that this ransomware is based off of Stupid Ransomware and is easily decryptable. As it uses a static key, Michael Gillespie was able to update his StupidDecryptor in order to decrypt this variant.
By replacing the MBR, running Rkill in safe mode to clean up the IFEO registry entries, using Michael’s decryptor to decrypt the files, and then a few security scans to remove any left overs you should be able to get your computer back to normal.