Anabelle Ransomware

A new ransomware named Anabelle was recently discovered. The main purpose of Anabelle is to inflict damage, rather than create profit from the ransom itself.

Anabelle boots with the machine OS by overwriting the MBR of the infected machine with a bootloader. It then deploys and creates persistence on the machine by:

  1. Disabling the user from running certain programs.
  2. Terminating important security programs.
  3. Attempting to spread itself through USB drives.
  4. Disabling Windows Defender.
  5. Turning off the firewall.
  6. Encrypting data.

MalwareHunterTeam has extracted the source code of this exploit. In doing so, we gain important insight regarding how this ransomware deploys itself in the system.

When the user logs in, the ransomware executes automatically. Programs such as Process Hacker, Process Explorer, Msconfig and others are terminated by the exploit, in order to prevent the killing of its process. The exploit spreads through Autorun.inf files, however this becomes useless when dealing with newer versions of Windows, which do not support an autoplay feature.

Anabelle is based on Stupid Ransomware and is easily decryptable.