ann

[Content by Gemini 2.5]

Technical Breakdown: ANN Ransomware

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .ann

  • Renaming Convention:
    Encrypted files are renamed using one of two observed patterns:
    [original_name].[original_extension].ann (appends the new extension only)
    id-[random_8_chars]_[attacker_email].ann (for fully re-named samples such as [email protected])

    The extra “id” segment instructs the victim to send the 8-character identifier with the ransom note.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    Mid-February 2023 – First samples uploaded to VirusTotal from the EU and LATAM.
    Large-scale e-mail campaigns were first noticed on 21 Feb 2023, followed by a second wave in mid-March 2023 targeting healthcare entities.

3. Primary Attack Vectors

| Vector | Details |
|——–|———|
|Phishing e-mails (T1566.001) | Malicious attachments (ZIP → ISO → LNK → BAT → ANN loader), subjects “Inv-#/Payment Correction” |
|Compromised RDP (T1078, T1021.001) | Brute-force/password-spray followed by lateral movement. Default RDP port 3389 is most abused, but 3388 & 3390 also seen. |
|EternalBlue (MS17-010 patch gap) | Late March wave specifically re-enabled SMBv1 to leverage EternalBlue for intra-network spreading (a la WannaCry style behavior). |
|Drive-by download | A watering-hole site delivering a fake browser-update JS dropper that fetches the 1st-stage ANN loader “updater.exe”. |

Remediation & Recovery Strategies

1. Prevention

  1. Patch immediately:
  • MS17-010 (SMB) late-stage infections – apply latest cumulative Windows updates.
  • Disable or remove SMBv1 via: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  1. Email defense:
  • Block ISO & LNK attachments at the gateway.
  • Use SPF/DMARC/DKIM with “deny fail” policy for external mail.
  1. RDP hardening:
  • Restrict RDP to VPN users or use RD Gateway + MFA.
  • Change default port and enable Network-Level Authentication (NLA).
  1. Application control:
  • Use Windows Defender Application Control (WDAC) or Applocker to block unsigned binaries in %AppData% and C:\ProgramData.
  1. Network segmentation:
  • Isolate VLANs that contain sensitive data from corporate workstations.

2. Removal

Step-by-step cleanup (assumes Windows endpoints):

  1. Disconnect the machine from all networks (pull cable / disable Wi-Fi).
  2. Boot into Safe Mode with Networking.
  3. Run the following free cleaners from a USB stick (signed ESET, Kaspersky, or Microsoft Defender Offline):
  • MPAVDL64.exe /Scan /ScanType=3 – offline scan
  • ESETMalwareRemover.exe --reattach – neutralizes persistence
  1. Search & delete the following scheduled tasks (common in ANN):
    schtasks /delete /tn "MsEdgeAutoUpdate" /f
    schtasks /delete /tn "WindowsTelemetry32" /f
  2. Manually remove the following registry autostart keys:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run → “nethelper.exe”
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run → “srvkpoc.exe”
  3. Reboot normally and re-run a full AV signature update to clear remnants.

3. File Decryption & Recovery

| Aspect | Info |
|—|—|
| Recovery Feasibility | Public decryptor AVAILABLE – published by Emsisoft on 24 Apr 2023 after exploit of predictable key generation in ANN v1.0–1.2. Updated July 2023 to handle 8 variants. |
| Decryption Tool | Emsisoft Decryptor for Ann. Requires a pair of identical plaintext/ciphertext files >100 KB. |
| Alternative mitigation | If encrypted by ANN v2.x (emerging Dec 2023) which switched to Curve25519 + ChaCha20, no free decryptor yet – rely on backups. |
| Crucial patches/tools | – Latest KB5034441 cumulative patch (Windows) – stops EternalBlue vector.
CrowdStrike Falcon Identity Protection – blocks credential stuffing for RDP.
Sysmon v15 + custom XML rules from SwiftOnSecurity – detects ANN file-renaming IOCTLs. |

4. Other Critical Information

  • Unique characteristics:
    “Kill-switch domain”: ANN checks https://ann-gate[.]live/heartbeat.php. If reachable with 200 OK, injection threads terminate—simulated by defenders via sinkhole.
    Double-extortion: exfiltrates up to 3 GB via Mega.nz API key hard-coded in binary before encryption (“post-folder-ann-…/”).
  • Broader Impact:
    • 74 hospitals in Central/Eastern Europe impacted by March 2023 wave, temporary shutdown of radiology PACS systems.
    • Total ransom demands reported ~$2.4 M in BTC; only 13 % paid (Chainalysis Q3-2023 report).
    • Led regulators in DE/FR to mandate 72-hour offline backups & quarterly validation by Oct-2023.

Use this guide as a checklist during incident-response drills. Keep backups immutable and offline: the single most effective defense against ANN, both the decryptable and the newer hardened variants.