Annabelle Ransomware

What is Annabelle Ransomware?

Annabelle Ransomware is a new ransomware-type infection recently discovered by specialists working at anti-spyware-101.com. It uses a picture of Annabelle, the character from the horror film, to scare its victims even more, so it has been named Annabelle Ransomware. Unfortunately, research has shown that this infection is sophisticated malware, meaning that it will bring you many problems if it ever successfully infiltrates your computer. Unlike simpler ransomware infections, it not only locks files it finds stored on victims’ computers, but also modifies the MBR (Master Boot Record) – this happens if the user restarts the computer twice. In addition, it modifies the system registry. As a consequence, users see a picture with a text each time they turn on their computers and thus cannot use them normally. Have you encountered Annabelle Ransomware? If the answer to this question is “yes,” you must erase it from your computer right away. It will try to convince you not to remove it and, instead, go to make a payment by saying that your system will be broken if you act in the opposite way, but it is not true. Most likely, it has already modified the MBR on your system, and we are sure it will not fix it even if you transfer the required amount of money to cyber criminals behind it, so you will not lose anything by getting rid of it mercilessly. The Annabelle Ransomware removal will not be a piece of cake because it blocks Task Manager, Explorer, adds its entry in the system registry, and applies changes to the MBR. Luckily, it does not mean that users cannot erase this threat from their computers. Continue reading to find more about the removal of this nasty ransomware infection.

What does Annabelle Ransomware do?

Even though Annabelle Ransomware is more sophisticated if compared to a bunch of other ransomware-type infections, it also locks files mercilessly once it infiltrates computers. As has been observed, it locks almost all files it finds on victims’ systems, including pictures, documents, and various executable (.exe) files. It only leaves essential Windows OS components intact. After encrypting files, it restarts the affected computer and then displays a window containing a text for users. This window contains the picture of the Annabelle character. If users read the message left for them, they find out what has happened to their files: “All your files are encrypted and secured with a strong key.” Also, they are told that they need the personal key to unlock them. It costs 0.1 Bitcoin. More information about the payment is provided on the .onion website whose link is indicated on the opened window – it can be opened with the TOR browser. We understand that the whole situation is quite frightening, and you want to solve this problem as soon as possible, but we cannot let you send money to cyber criminals. Keep in mind that there are no guarantees that your files will be unlocked, and, on top of that, the ransomware infection will not remove itself from your system even if you send money to crooks. No matter what you final decision is, make sure you do not keep Annabelle Ransomware active.

Where does Annabelle Ransomware come from?

It is hard to say how Annabelle Ransomware has entered the system in your case, but we are sure that you have not installed this threat consciously. According to our malware researchers, this malicious application should not differ much from other ransomware-type infections. That is, it should also be spread via spam emails, they say. Users allow malware to enter their PCs by clicking on malicious links these emails contain or opening malicious attachments they hold. Also, researchers say that users might download malware from the web themselves too. Malicious applications are often disguised as beneficial software, so we cannot blame those users.

How to delete Annabelle Ransomware

If you have restarted your computer twice and Annabelle Ransomware has modified the MBR, you will, first of all, need to fix it. To do this, you need to have the Windows OS recovery CD/DVD. Instructions provided below will help you to do that. Once the MBR is fixed, remove the entry of the ransomware infection from the Run registry key. In addition, you need to erase the malicious file opened recently as well. If you do not have time for this, you can install an antimalware scanner after fixing the MBR and use it to clean your system instead.

Annabelle Ransomware removal guide

Fix the Master Boot Record

Windows XP

1. Insert the Windows XP CD.
2. When Press any key to boot from CD… is displayed, press any key.
3. At the Welcome to Setup screen, press R.
4. When you see the question Which Windows installation would you like to log into, type 1 and press Enter.
5. At “Type the Administrator password”, enter the password and then press Enter.
6. Type fixmbr.
7. If you are asked Are you sure you want to write a new MBR?, press Y and tap Enter.
8. Tap Enter.
9. Wait till the Master Boot Record is repaired.
10. Remove the CD.
11. Type exit and press Enter.

Windows Vista

1. Boot from your Windows Vista CD/DVD.
2. Choose your language and keyboard layout.
3. Click Repair your computer at the Welcome screen.
4. Select the operating system and click Next.
5. At the System Recovery Options window, click Command Prompt.
6. Type these commands: bootrec /FixMbr, bootrec /FixBoot, and bootrec /RebuildBcd .
7. Press Enter after each command entered.
8. Wait for the operation to finish and remove the CD/DVD inserted.
9. Type exit and press Enter.

Windows 7

1. Boot from the Windows 7 DVD.
2. Press any key when you see Press any key to boot from CD or DVD.
3. Select your language and keyboard layout.
4. Click Next.
5. Select the operating system and click Next.
6. At System Recovery Options, click Command Prompt.
7. Type bootrec /rebuildbcd and press Enter.
8. Type bootrec /fixmbr and press Enter.
9. Type bootrec /fixboot and press Enter.
10. Remove the DVD once the MBR is fixed and restart your computer.

Windows 8/8.1/10

1. Boot from the Windows 8/8.1/10 installation DVD or USB flash drive.
2. Click Repair your computer at the Welcome screen.
3. Select Troubleshoot.
4. Choose Command Prompt.
5. Type the following commands and press Enter after each of them: bootrec /FixMbr, bootrec /FixBoot, bootrec /ScanOs, and bootrec /RebuildBcd .
6. Remove the DVD/USB flash drive.
7. Type exit and press Enter.
8. Restart your computer.

Remove the ransomware infection

1. Press Win+R simultaneously.
2. Type regedit.exe in the box and press Enter.
3. Move to HKLM\Software\Microsoft\Windows\Currentversion\Run.
4. Locate the entry of Annabelle Ransomware and delete it (it has a random name).
5. Close Registry Editor.
6. Delete the malicious file you have launched recently.
7. Scan your system with an antimalware scanner. Download Removal Tool100% FREE spyware scan and
   tested removal of Annabelle Ransomware*