Home News A New Terrifying Piece of Ransomware is here – The Annabelle Virus

A New Terrifying Piece of Ransomware is here – The Annabelle Virus


Have you ever wanted to associate a virus with a terrifying possessed doll? Well, now it seems that you can. The Annabelle virus is the product of a very talented hacker whose goals is to show off his skills, not gain complete control of your device for money, like the majority.

What does it do?

Looks like this hacker went all in when he created this virus. Discovered by security researcher Bart, this virus is able to fully shut down your computer without you doing anything to regain control. It can terminate security programs, disable Windows Defender, turn of your firewall, encrypt your files and try to spread through your USB ports. The cherry on top is that it also overwrites the master boot record of the infected computer with a very silly bootloader.

To our relief, MalwareHunterTeam managed to extract the source code of the virus so we can see how the virus starts off and how it acts.

How does it infect your computer?

The first step is that, after being installed, Annabelle will start automatically when you open Windows. It will then start off by terminating a series of programs such as Task Manager, Chrome, Msconfig, Process Hacker and so on. It will then modify Image File Execution so that you are unable to open the previously named programs along with Notepad, Internet Explorer, Opera and bdcedit.

It will then try to spread itself by using autorun.inf files. However, this method is useless on newer Microsoft versions because they do not allow files to autoplay. When it has finally managed to take back all the control you had over every program on your computer, it will move on to start encrypting the computer with a static key.  Here comes the creepy part. When encrypting your files it will change the extension to .ANNABELLE. This is truly a scene that came out of an IT enthusiast’s nightmare.

When you try to restart your computer and log in again it will display a lock screen that credits the creator of this virus, named “iCoreXo812” and a Discord name through which he can be contacted. The developer also decided to replace the master boot screen with one that shows a “prop” screen when you load it.

Is there a way to get rid of this virus?

Since the creator of this virus did not look to gain money from encrypting laptops he did not make it so hard to remove the virus. Since it uses a static key based off of Stupid Ransomware it can be easily decrypted. You should replace the MBR, run Rkill in safe mode to clean up the registry entries, use Michael’s decryptor and then use a few security scans and your computer is good as new.