What could be more horrifying than a ghost story based on a real incident?
Obviously, a ransomware virus carrying the name of one of the scariest ghosts of all times – ANNABELLE!
It is not certain if people were disturbed by the Annabelle ghost, but businesses will certainly have sleepless nights thinking how to ward off the Annabelle attack! After Spectre and Meltdown, Annabelle is now in tow making businesses go berserk.
So, what is Annabelle ransomware and how does it work? This blog post will shed some light on how Annabelle attacks you (your business) and what you can do to keep yourself (your data) safe.
Annabelle is built on Stupid ransomware, which is a crypto-virus. Crypto-viruses are a variant of ransomware that use .NET programming to encrypt files and append them with extensions like .haters, .FailedAccess, .xncrypt, etc.
Stupid ransomware uses an encryption algorithm that locks particular file types and prevents users from opening them. It was designed to encrypt 61 file types, including those that are stored in My Pictures, My Music, Downloads and other files in C: Drive top-level directories. Once the files are encrypted, Stupid ransomware gives its victims instructions on how to pay the ransom to obtain the decryption key to gain access to the encrypted files.
Annabelle ransomware works more or less along the same lines and can be decrypted easily. It appears more to be like the work of a developer wanting to show off his/her skills rather than a properly orchestrated ransomware attack. He/She has also provided his/her contact details on Discord, enabling victims to contact if required.
Once the system is booted up, Annabelle does the following to latch herself (himself?!) onto our systems:
- Disables Windows Defender
- Turns off the firewall
- Terminates other security programs
- Spreads through USB drives
As per the report by cyber security researchers at the MalwareHunterTeam, the ransomware automatically runs when the users log on to their Windows machine. Once this is done, Annabelle begins her tactics by terminating programs that could kill her such as
- Internet Explorer
- Chrome
- Opera
- Task Manager
- Msconfig etc.
The ransomware then modifies the Image File Execution Registry so that the user cannot launch programs as those mentioned above, and also others such as Notepad. From here, Annabelle launches herself through autorun.inf files (text files included in CD-ROMs that enables programs to auto-launch when inserted into the drive) in Windows OS.
However, this doesn’t work in newer versions of Windows that don’t support the AutoPlay feature. Now, the ransomware begins it’s actual work by encrypting the files with a static key (encryption key used in many instances and over a long period of time) and appending them with ‘.ANNABELLE’.
After the encryption is done, Annabelle reboots the computer automatically and when the user tries to log on, it displays the following message:
The developer has also added a note stating that the darknet sites don’t exist, and that the victims can contact him/her on Discord through the name – iCoreX#1337.
To prove that Annabelle ransomware is every bit as evil as her ghost counterpart, the developer has added a feature that overwrites the master boot record of the infected computer, so that the screen shows the Annabelle doll when the user tries to log in. Some victims also mentioned that the countdown ran out faster and heard an eerie music when they tried to reboot the system on their own!
CONCLUDING THOUGHTS
When the immoral attacks, there always arrives the virtuous to help all out. So, what can businesses do to keep this evil attack at bay? The safest solution is to have a copy of all your production data in an offsite location, as backing up data to the same location as that of the ransomware attack is as good as having no backup at all.
The Vembu OffsiteDR and Vembu CloudDR allow users to replicate data from the main server to an offsite server in their very own data center and the Vembu Cloud respectively. This would allow businesses to easily restore data to the required location when Annabelle attacks.
Experience modern data protection with this latest Vembu BDR Suite v.3.9.0 FREE edition. Try the 30 days free trial here: https://www.bdrsuite.com/vembu-bdr-suite-download/
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.