Horror fans know the consequences of an encounter with the evil doll Annabelle – users should similarly beware of the same-named ransomware, which possesses a bag of evil tricks to wreak havoc on an infected computer.
Discovered by security researcher Bart, Annabelle Ransomware includes everything but the kitchen sink when it comes to screwing up a computer. This includes terminating numerous security programs, disabling Windows Defender, turning off the firewall, encrypting your files, trying to spread through USB drives, making it so you can't run a variety of programs, and then to sweeten the pot, it overwrites the master boot record of the infected computer with a silly boot loader.
Thankfully, MalwareHunterTeam was able to extract the source code from the obfuscated executable so that we can get a better glimpse as to what this program is doing.
When first run, Annabelle will configure itself to start automatically when you login to Windows terminating a variety of programs such as Process Explorer, Task Manager, Chrome, Process Hacker and many others.
And then after if configures Image File Execution registry entries makes launching a variety of programs such as the ones listed above and others such as Notepad++, Notepad, Internet Explorer, Chrome, Opera, bcdedit, and many more impossible.
The ransomware will then try to spread itself using autorun.inf files. This method is fairly baseless for the latest versions of windows and other operating systems which do not support autoplay features.
Well all this is done, it will start encrypting the computer with a static key. When encrypting files it will append the .ANNABELLE extension to the encrypted file's name.
It will then reboot the computer and when the user logs in, it will display the lock screen shown at the top of this article. The lock screen has a credits button that when clicked shows the below screen that states a developer named iCoreX0812 made the program and a way to contact them on Discord.
As a finishing touch, the developer decided to also run a program that replaces the master boot record of the infected computer so that it shows a "props" screen when the computer restarts.
Overall, this ransomware was developer to be a PITA and to show off the developer's skills rather than to actually generate ransom payments.
The good news is that this ransomware is based off of Stupid Ransomware and is easily decryptable. As it uses a static key, Michael Gillespie was able to update his StupidDecryptor in order to decrypt this variant.
By replacing the MBR, running Rkill in safe mode to clean up the IFEO registry entries, using Michael's decryptor to decrypt the files, and then a few security scans to remove any left overs you shouldbe able to get your computer back to normal.
By :
Divya Aswani
II Year
Comments
Post a Comment