annabelle

[Content by Gemini 2.5]

──────────────────────────────────────────────
Expert Advisory – Ransomware var. “Annabelle”
Extension pattern: “.ANNABELLE”
──────────────────────────────────────────────

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .ANNABELLE (upper-case after the dot).
  • Renaming Convention: Original filename remains fully intact; the .ANNABELLE suffix is simply appended – e.g.,
    document.docxdocument.docx.ANNABELLE.
    Emphasis: directory names themselves are not touched, only file names.

2. Detection & Outbreak Timeline

  • First Public Sightings: Compromised hosts reported by independent analysts on 26 – 27 February 2018.
  • Peak Activity Window: The bulk of infections clustered between Feb-March 2018, after which volume fell—thought to be a single “proof-of-concept” campaign, not a long-standing family.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Manual/local – Annabelle is not network-spreading ransomware. It is a custom trojanized binary that the attacker places and executes interactively (via physical access, stolen credentials, or RDP compromise).
  2. Supply-chain poisoning – early samples were disguised as pirated security cracks/keygens (“KMS-Auto.exe”, “Crack_Adobe.exe”, etc.).
  3. USB propagation feature – drops a hidden autorun.inf + copy of itself on removable drives when the “/usbs” command-line flag is supplied.
  4. Disables security software & back-ups – Uses a kernel driver (MBRFilter.bsk) lifted from Trend Micro’s open-source anti-ransomware demo to overwrite the Master Boot Record (MBR), followed by forced reboot. Once the fake “chkdsk” screen reboots into the distorted Windows logo, direct NTFS files are already encrypted.

Remediation & Recovery Strategies

1. Prevention

  • Segment credentials – Prevent lateral remote-script attacks; enforce least privilege for RDP.
  • Disable RDP & SMBv1 if not needed; if required, restrict to VPN with MFA.
  • Patch MS17-010 (EternalBlue) and MS16-032 (local privilege escalation), although they are not the main ingress, they are often used post-intrusion.
  • Disable USB Autorun via GPO: Computer Config → Admin Templates → Windows Components → AutoPlay Policies.
  • Application allow-listing – enforce Windows Defender Application Control / AppLocker to block unknown exes with suspicious entropy.
  • Use Shadow-Copy-aware immutable backups (Veeam hardened repo, Acronis Cyber Protect, Wasabi S3 Object Lock). Annabelle systematically deletes VSS via vssadmin delete shadows /all.

2. Removal (Step-by-Step)

  1. Power-off infected PC immediately if you just observe the reboot-to-fake-chkdsk loop. Attach the disk as a secondary drive on a clean system.
  2. Boot via Windows PE / Linux live distro (e.g., Kaspersky Rescue Disk).
  3. Use diskpart /list volume to check partitions; confirm the MBR is corrupted (signature overwritten with 0x0513).
  • Repair MBRbootrec /fixboot and bootrec /rebuildbcd (offline) OR via EaseUS Partition Master.
  1. Scan secondary data partition with ESET SysRescue Live (signature 19520+); it detects and fully deletes Annabelle dropper:
    Win64/Annabelle.A
  2. Once bootable, disconnect from network and run a second-pass scan using Malwarebytes 4.x or Microsoft Defender Offline update ≥ 1.273.850.0.

3. File Decryption & Recovery

  • Recovery Feasibility:
    YES, files can be decrypted offline because Annabelle uses a hard-coded AES-256 key.
    – Two reputable free decryptors exist:
    • Trend Micro Ransomware File Decryptor Tool v2.0.0.3 (flag “/ext:ANNABELLE”)
    • Emsisoft Decryptor for ANNABELLE (signed as 3.0.1.0)
  • Limitations: Tool only decrypts after the original trojan has been completely removed; otherwise re-encryption occurs.
  • Shadow Cop Examine: If malware executed quickly, remnants of VSS may persist – run vssadmin list shadows before manual deletion. Use ShadowExplorer to restore individual Office files.

4. Other Critical Information

  • Unique Characteristics:
    Copied MBR overwrite from POC, not crypto-malware sophistication – intended more for theater.
    Includes Bitcoin address grabber & fake ransom note. Payment does NOT lead to any real key transfer; the AES key is already inside the sample and accessed offline by the decryptor.
    Targeted single machines rather than enterprises; no observed C2 beaconing – payload is entirely self-contained.

  • Broader Impact:
    • Served as a reminder that low-tech proof-of-concepts can still be impactful. Annabelle helped shape Windows 10 1803’s inclusion of “enable Controlled Folder Access” by default after MBRFilter bypass.
    • Gave blue-teams a forensic sandbox to analyze trivial key recovery and practice incident response playbooks.

Key takeaway: Remove the payload, retain a copy of affected data, use the Emsisoft or Trend Micro decryptor, and re-image the machine using SysPrep to ensure dropped drivers (MBRFilter.bsk) are purged.
No paying the ransom is necessary.