Horror fans know the consequences of an encounter with the evil doll Annabelle – users should similarly beware of the same-named ransomware, which possesses a bag of evil tricks to wreak havoc on an infected computer.
Though built on Stupid Ransomware and easily decryptable, Annabelle can disable Windows Defender and turn off the firewall, encrypt files and shut down some security programs, such as Process Explorer and Chrome, according to a report from Bleeping Computer. If that's not enough it attempts to spread via USB drives, disables some programs and, just to prove it's every bit as evil as its movie counterpart, Annabelle overwrites a computer's master boot record with a boot loader.
The report attributes the ransomware find to a researcher named Bart and credits MalwareHunterTeam with teasing out the source code to watch Annabelle automatically start when a user logs in to Windows then shut down programs. After that it configures entries in the Image File Execution registry so that users can't launch programs. From there, it attempts to spread through autoru.inf files, though the report notes that technique doesn't work as well on newer Windows iterations.
But if it's successful, it will reboot the infected computer and on login display a lock screen that offers contact information for the developer.
When first run, Annabelle will configure itself to start automatically when you login to Windows. It then terminates a variety of programs such as Process Hacker, Process Explorer, Msconfig, Task Manager, Chrome, and more.
It then configures Image File Execution registry entries to make it so you cannot launch a variety of programs such as the ones listed above and others such as Notepad++, Notepad, Internet Explorer, Chrome, Opera, bcdedit, and many more.
The ransomware will then try to spread itself using autoru.inf files. This method is fairly useless when it comes to newer versions of Windows that do not support an autoplay feature.
It will then reboot the computer and when the user logs in, it will display the lock screen shown at the top of this article.The lock screen has a credits button that when clicked shows the below screen that states a developer named iCoreX0812 made the program and a way to contact them on Discord.
As a finishing touch, the developer decided to also run a program that replaces the master boot record of the infected computer so that it shows a "props" screen when the computer restarts. But Annabelle is not quite done, as a parting gift, the ransomware overwrites the master boot record.