Annabelle delivers a panopoly of horror stories to deliver ransomware

News by SC Staff

All ransomware is a nightmare but Annabelle is a real horror, appearing more designed to 'show off the skills' of the developer who created it, rather than real a bid to raise ransom payments.

All ransomware is a nightmare but Annabelle is a real horror, described in Bleeping Computer as appearing more designed to ‘show off the skills' of the developer who created it, rather than real a bid to raise ransom payments.

This hydra of program appears to up the ante in difficulty to tackle as the ransomware terminates numerous security programs, disables Windows Defender, turns off the firewall, encrypts your files, tries to spread through USB drives, prevents running of a variety of programs, and overwrites the master boot record of the infected computer with a boot loader.

But its very complexity and variety of threats makes it vulnerable to detection by behavioural analysis says Andy Norton, director of threat intelligence at Lastline who commented in an email to SC Media UK: “The more malicious things a piece of code does, the more alarm bells start ringing when scrutinised with behavioural analysis. Annabelle, by design would simply not pose a threat to any organisation using behavioural analysis, because it exhibits too many bad functions. It sets off too many alarms. Qkg, was interesting from a research perspective, because many machine-learned behavioural algorithms were trained on Ransomware encrypting many thousands of existing files and deleting shadow copy. Qkg did neither, instead it went after newly created files."

Discovered by security researcher Bart, Annabelle is so named because when encrypting files it appends the .ANNABELLE extension to the encrypted file's name.  MalwareHunterTeam has extracted the source code from the obfuscated executable to show its portfolio of criminal functionality.

The ransomware is reported to be  based on Stupid Ransomware and is described as easily decryptable. Bleeping computer's Lawrence Abrams explains, “By replacing the MBR, running Rkill in safe mode to clean up the IFEO registry entries, using Michael's decryptor ( Michael Gillespie) to decrypt the files, and then a few security scans to remove any left-overs you should be able to get your computer back to normal.”

A copy of the ransom note is also provided:

Ransom Note:

What Happened to my files?
All your files are encrypted and secured with a strong key. There is no way to get them back without your personal key.

How can I get my personal key?
Well, you need to pay for it. You need to visit one of the special sites below & then you need to enter your personal ID (you find it on the top) & buy it. Actually it costs exactly 0.1 Bitcoins.

How can I get access to the site?
You easily need to download the Torbrowser, you can get it from this site:

What is goin to happen if I'm not going to pay?
If you are not going to pay, then the countdown will easily ran out and then your system will be rboken. If you are going to restart, then the countdown will ran out a much faster. So, its not a good idea to do it.

I got the key, what should I do now?
Now you need to enter your personal key in the textbox below. Then you will get access to the decryption program.

- The darknet sites are not existing, its just an example text. The other things are right, except the darknet thing. Its possible to get the key, but if I going to do a new trojan, or new version of this then I will add real ways to get the key :) If you wanna that I going to do a 2.0 or a new trojan, then write it below in the comments. Thanks
If you wanna chat with me, contact me easily in discord: iCoreX#1337

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews