All You Need to Know about the Annabelle Ransomware Virus

Ransomware is a major security risk for individuals, businesses, organizations, and governments today.

As more and more sensitive data is stored online, cyber-criminals continue to find ways to profit from its destruction or leaking. The Annabelle virus is a recent example of how creative and damaging ransomware can be, though it ultimately poses less risk to victims than other, more severe viruses.

What is the Annabelle Ransomware Virus?

The Annabelle virus incorporates the titular character from the recent horror movies, based around a possessed doll first introduced in The Conjuring. The virus is designed to create maximum chaos in computers, by:

• Disabling firewalls
• Turning off Windows Defender
• Encrypting files
• Deactivating security programs
• Infecting USB drives

All of this is bad enough and can leave your system a sitting duck. However, the Annabelle ransomware virus also replaces the target computer’s master boot record with a strange loader demanding payment in exchange for the infection’s removal.

Your computer can become infected by the Annabelle virus through malware ads, tainted downloads, fraudulent updates, and emails. It basically employs the same tactics other viruses have for years.

How Does the Annabelle Ransomware Virus Work?

Once the Annabelle virus has infiltrated your Windows computer, it will start to configure when you next boot it up. The infection shuts down Task Manager, Process Hacker, Chrome, Process Explorer, Notepad, Internet Explorer, Msconfig, and other programs you might depend on every day.

Your security defenses will be deactivated too, leaving you without Windows Defender and other systems you need.

The virus creates chaos in your system, spreading through autorun.inf files. However, this is ineffective against more recent versions of Windows, as they lack the autoplay feature.

The Annabelle ransomware virus will then begin to launch its encryption phase with a static key. It encrypts all of your media, documents, and databases, adding a new extension – ‘.annabelle’.

Once all of the pieces are in place, the ransomware virus reboots your computer. You will find it now locked, with a picture of the grotesque Annabelle accompanied by a ransom note.

It reads:

“How can I get my personal key? Well, you need to pay for it. You need to visit one of the special sites below & and then you need to enter your personal ID (you find it on the top) & buy it. Actually it costs exactly 0.1 Bitcoins”

What the culprits lack in good writing, they make up for in technique. The lock screen credits a creator referred to as iCoreX0812, and provides a means to reach them via Discord (a freeware VoIP app). 0.1 Bitcoin is worth just under $1000 at the time of writing, and paying the ransom would supposedly eliminate the virus from your computer.

Still, as it turns out, victims have no need to actually pay said price to decrypt their system.

Can You Remove the Annabelle Ransomware Virus?

The creator behind the Annabelle virus used a hard-coded key to develop it. As a result, it employs an identical key to infect every single computer, which enabled the resourceful Michael Gillespie to find a solution.

Gillespie is a malware security researcher and creator of ID Ransomware. He devised a special decryption tool able to restore files and remove the Annabelle virus with minimal hassle. He released this free of charge, demonstrating an altogether more positive, generous attitude than the person (or persons) behind the ransomware.

The Annabelle virus was made using Stupid Ransomware, and Gillespie updated his Stupid Decryptor tool as a solution.

Given the use of a static key, it’s believed that the creator of the ransomware was more interested in showing off their skills and causing chaos on victims’ systems rather than actually gaining any financial reward.

It’s unbelievable that someone would inflict such frustration and potential damage upon strangers just for their own amusement, but it seems to be the case. The effects of having an encrypted device could be incredibly costly and distressing, for individuals and businesses alike.

Cyber-criminals can utilize ransomware to disrupt governments or businesses, potentially costing them significant amounts of money out of maliciousness. Businesses lose more than $2K for each case of ransomware (on average), though the price of liberation can be much higher.

A ransomware attack cost the University of Calgary 20,000 CAD in May 2016, and ransomware was found to cost companies an overall $75 billion each year.

However, even if there was no solution for the Annabelle ransomware virus, you’re always recommended to refuse payment. Though it’s understandable that you would want to take the quickest option and take the culprit at their word, the people behind the attacks typically leave the encryption in place once they have their money, leaving victims to suffer the effects and seek their own fix.

The Annabelle virus differs from other ransomwares like Russenger and Cypher, as it used a static key. Others tend to employ algorithms creating unique decryption keys, essentially meaning that only the original developers can fix the issue.

For computers infected with a virus that cannot be decrypted, the only way to correct the problem is to restore a backup. This may still result in loss of data, which can be hugely problematic for businesses and organizations especially, but lets you start afresh.

Creating regular backups to preserve your data can help you minimize damage caused by potential ransomware, but you need to keep these on remote servers or external storage (which remain unplugged from the system itself, to avoid infection).

You can reduce your risk of falling prey to ransomware by being more careful online. Suspicious emails from questionable sources should be deleted straight away and never interacted with. Only download programs and applications from official sites, and make sure you keep your security updated for the most cutting-edge precautions.

The Annabelle ransomware virus is, thankfully, a lesser danger – but it serves as a powerful reminder to up your security game.

Dangers of Cyberattacks as a Result of Source Code Leak

This past week, someone posted the source code of Apple iPhone operating system iOS on GitHub – a repository of open source code.

There was confusion at first as to whether the code was real or not. Apple indirectly confirmed that the code was real by filing a DMCA legal notice demanding GitHub to remove the source code. DMCA, which stands for Digital Millennium Copyright Act, is a takedown request that empowers owners of copyrighted material who believe their rights under U.S. copyright law have been infringed.

The iPhone source code called “iBoot” published on GitHub, Apple said "is responsible for ensuring trusted boot operation of Apple's iOS software." The company added, “The ‘iBoot’ source code is proprietary and it includes Apple's copyright notice. It is not open-source.”

Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, told Lorenzo Franceschi-Bicchierai of Motherboard that the iBoot source code publication is the “biggest leak” in Apple's history.

A source code is a collection of computer instructions that’s written by a programmer when developing a software program. A software can either be open source or non-open source.

With an open source code, anyone can inspect or modify the code. With a non-open source code, the source code is hidden from the public and as such, only the software maker can make changes to the code.

Non-Open Source Code Leak

Apple and Microsoft are examples of companies that keep their products’ source code hidden from the public.

While most companies don’t allow outsiders to view and make modifications on their source code, they allow security researchers, also known as ethical hackers, to review their software, find security vulnerabilities and report this directly to the company to receive monetary reward, also called bounty.

Apple, through its bounty program, pays a maximum of $200,000 to someone who directly reports bugs or security vulnerabilities to the company.

Despite the takedown of the iPhone source code on GitHub, the source code has already made its way to dark web sites.

Access to non-open source code like the iBoot gives hackers a better chance of finding security vulnerabilities that could lead to cyberattacks.

EternalBlue Source Code Leak

On April 15, 2017, a hacker group calling itself the “Shadow Brokers” leaked the source of code of a number of hacking tools believed to be developed by the U.S. National Security Agency (NSA).

The source code of EternalBlue is one of those leaked by the hacker group. EternalBlue could allow remote code execution if a cyberattacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

WannaCry

The EternalBlue source code leak spawned devastating cyberattacks, the most notable of which was the WannaCry cyberattack. In May 2016, hundreds of thousands of computers around the world were infected with WannaCry, a malware that encrypts computer files, prevents users from accessing files and asks for ransom payment in the form of Bitcoin for the release of the decryption key to unlock the affected computer.

Adylkuzz

Adylkuzz is another malware that uses the EternalBlue source code. The purpose of Adylkuzz malware is to mine the cryptocurrency Monero. Similar to cryptocurrency Bitcoin, a Monero coin needs to be mined – a process by which a transaction is verified, added to the public ledger, known as the blockchain, and a means before a coin is released.

While cryptocurrency mining of Bitcoin can only be done on powerful computers, mining Monero can be done on regular computers and even on smartphones.

The Adylkuzz malware installs the Monero cryptocurrency miner called “cpuminer” on infected computers. Once the cpuminer is installed in a compromised computer, Monero cryptocurrency mining is conducted without the knowledge of the user. Cryptocurrency mining operation, however, will exhaust your computer CPU, resulting in slow performance.

Open Source Code Leak

With an open source code, anyone can inspect or modify the code. An open source is also known as a collaborative code. There are benefits in allowing other programmers to inspect and modify a source code. It’s a known fact that there’s not one software with a perfect source code. Allowing programmers to inspect and modify a source code can enhance and improve the code in the long run.

Linux is an example of an open source software. It’s an operating system similar to Windows and iOS. The difference between Linux and other operating systems is that it’s open source. The Linux source code is free and available to the public to view and, for users with the necessary skills, to contribute to the enhancement of the code.

While the publication of an open source code, on one hand, can be beneficial to society similar to the positive contribution of Linux, publication of an open source code with malicious intent can be detrimental to society.

Mirai Source Code Leak

The publication of the Mirai source code is an example of how a publication of a malicious open source code can be detrimental to society.

On September 30, 2016, a HackForum user by the name of “Anna-senpai” posted the source code of the malicious software called “Mirai”. The Mirai was responsible for the distributed denial of service (DDoS) attack on the website of cybersecurity journalist Brian Krebs on September 20, 2016.

On December 13, 2017, Paras Jha pleaded guilty in creating the Mirai and for conducting a series of DDoS attacks on the networks of Rutgers University between November 2014 to September 2016, which resulted in shutting down Rutgers University’s central authentication server – a gateway portal through which students, staff and faculty deliver assignments and assessments.

According to the U.S. Department of Justice, hundreds of thousands of IoT devices such as wireless cameras and routers were infected with the Mirai malware and were used "to conduct a number of powerful distributed denial-of-service, or ‘DDOS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers".

According to Imperva Incapsula, Mirai-infected IoT devices were spotted in 164 countries, appearing even in remote locations like Montenegro, Tajikistan and Somalia.

The publication of the Mirai spawned other DDoS attacks, the most notable of which was the attack on Dyn, a domain name service (DNS) provider which many websites rely upon. The DDoS attacks against Dyn resulted in temporarily shutting down popular websites like Amazon, Twitter, Netflix and even GitHub.

Dyn, in a statement, said, “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.” The company said that 100,000 IoT devices were infected with the Mirai malware to attack its DNS infrastructure.

In December 2017, the source code of the malware called “Satori”, a variant or new version of Mirai, was leaked on Pastebin. This Mirai variant particularly infects Huawei home router model HG532.

While the original Mirai malware infects IoT devices by using default usernames and passwords, Satori doesn’t need usernames and passwords. Security researchers at Qihoo 360 Netlab said, “The bot [Satori] itself now does NOT rely on loader/scanner mechanism to perform remote planting, instead, bot itself performs the scan activity. This worm-like behavior is quite significant.”

Security researchers at NewSky Security said that with the release of the full working code of the Mirai variant Satori, “we expect its usage in more cases by script kiddies and copy-paste botnet masters.”

Cybersecurity Best Practices

Here are some security best practices to protect your organization’s computers from the dangers of cyberattacks as a result of source code leak:

1. Use Supported Software

Supported software refers to a software whereby security updates are regularly issued by the software vendor.

Many fell victim to WannaCry for using Windows operating systems that Microsoft – the software vendor – no longer supports or no longer issues security updates.

2. Patch

A patch, also known as security update, is a piece of software code added to an existing source code that fixes security vulnerabilities.

WannaCry could have been prevented by simple patching or installing of the security update issued by Microsoft on March 14, 2017 – a month before the hacker group leaked the EternalBlue source code. Microsoft’s March 14, 2017 security update patches or fixes the security vulnerability exploited by EternalBlue. This security update was issued to supported Windows operating systems.

3. Use Latest Software Version

Many leaked source code are typically source code of older software version. Software vendors normally fix security vulnerabilities found in older software versions with the latest software version.

Interesting to note that Windows 10 proved to be resilient against Petya ransomware attack unleashed more than a month after the WannaCry attack. Similar to WannaCry, Petya exploited security vulnerabilities exploited by EternalBlue and EternalRomance – two hacking tools believed to be developed by the NSA and leaked by the hacker group Shadow Brokers.

4. Practice Network Segmentation

There are instances that security updates can’t be installed right away. One way to prevent or minimize the effects of a cyberattack is through network segmentation – a process of dividing computer network into subnetworks. With network segmentation, cyberattack on one subnetwork won’t affect the other subnetworks.

5. Have the Right DDoS Protection

Cybercriminals today don’t necessarily create their own attack tools. Some simply copy leaked source code. This is the case of DDoS-for-hire groups, a bunch of cybercriminals that offer DDoS service for a fee. There are available tools that effectively counter these DDoS attacks. Connect with us today and protect your business.