While most ransomware is created to actually generate revenue, some developers create them to show off their "skills".  Such is the case with a new ransomware based off of the horror movie franchise Annabelle.

 

Discovered by security researcher Bart, Annabelle Ransomware includes everything but the kitchen sink when it comes to screwing up a computer. This includes terminating numerous security programs, disabling Windows Defender, turning off the firewall, encrypting your files, trying to spread through USB drives, making it so you can't run a variety of programs, and then to sweeten the pot, it overwrites the master boot record of the infected computer with a silly boot loader.

 

Annabelle Ransomware
Annabelle Ransomware

 

Thankfully,  MalwareHunterTeam was able to extract the source code from the obfuscated executable so that we can get a better glimpse as to what this program is doing. 

 

When first run, Annabelle will configure itself to start automatically when you login to Windows. It then terminates a variety of programs such as Process Hacker, Process Explorer, Msconfig, Task Manager, Chrome, and more.

It then configures Image File Execution registry entries to make it so you cannot launch a variety of programs such as the ones listed above and others such as Notepad++, Notepad, Internet Explorer, Chrome, Opera, bcdedit, and many more.

ifeo.jpg

 

The ransomware will then try to spread itself using autoru.inf files. This method is fairly useless when it comes to newer versions of Windows that do not support an autoplay feature.

 

Autorun.inf Spreading

 

Well all this is done, it will start encrypting the computer with a static key. When encrypting files it will append the .ANNABELLE extension to the encrypted file's name.

 

Encrypted files

 

It will then reboot the computer and when the user logs in, it will display the lock screen shown at the top of this article. The lock screen has a credits button that when clicked shows the below screen that states a developer named iCoreX0812 made the program and a way to contact them on Discord.

 

Credits Screen
Credits Screen

 

As a finishing touch, the developer decided to also run a program that replaces the master boot record of the infected computer so that it shows a "props" screen when the computer restarts.

 

MBR Lock Screen
MBR Lock Screen

 

Overall, this ransomware was developer to be a PITA and to show off the developer's skills rather than to actually generate ransom payments.

 

The good news is that this ransomware is based off of Stupid Ransomware and is easily decryptable. As it uses a static key, Michael Gillespie was able to update his StupidDecryptor in order to decrypt this variant.

 

By replacing the MBR, running Rkill in safe mode to clean up the IFEO registry entries, using Michael's decryptor to decrypt the files, and then a few security scans to remove any left overs you shouldbe able to get your computer back to normal. 

 

IOCs

Hashes:

Quote

716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

 

Ransom Note:

Quote

What Happened to my files? All your files are encrypted and secured with a strong key. There is no way to get them back without your personal key. How can I get my personal key? Well, you need to pay for it. You need to visit one of the special sites below & then you need to enter your personal ID (you find it on the top) & buy it. Actually it costs exactly 0.1 Bitcoins. How can I get access to the site? You easily need to download the Torbrowser, you can get it from this site: https://www.torproject.org What is goin to happen if I'm not going to pay? If you are not going to pay, then the countdown will easily ran out and then your system will be rboken. If you are going to restart, then the countdown will ran out a much faster. So, its not a good idea to do it. I got the key, what should I do now? Now you need to enter your personal key in the textbox below. Then you will get access to the decryption program. - The darknet sites are not existing, its just an example text. The other things are right, except the darknet thing. Its possible to get the key, but if I going to do a new trojan, or new version of this then I will add real ways to get the key :) If you wanna that I going to do a 2.0 or a new trojan, then write it below in the comments. Thanks If you wanna chat with me, contact me easily in discord: iCoreX#1337

Associated Files:

Quote

Copter.flv.exe

MBRiCoreX.exe

 

 

Source