Annabelle ransomware - How to remove

Annabelle ransomware virus is a devastating crypto-malware, created for sole purpose of messing up victims‘ computers. The character of Annabelle is a well-known symbol of a famous horror movie, and this suggests that victims of this virus are going to suffer from a horrific experience (#). Even though crooks usually spread ransomware infections for the purpose of getting money for victims, creators of Annabelle crypto-virus are more interested in other things. Their infection does severe damage to the computer: it disables security software, shuts down Windows Defender and the Firewall. In addition to this, it will also encrypt your files like any other ransomware.

Annabelle crypto-virus does a lot of damage to your OS, but is decryptable

Victims of Annabelle virus will also be unable to launch a variety of programs. As soon as the malware gets into a computer, it will be launched every time you start your OS. Malware will prevent users from opening their browsers, Task Managers and other useful windows. This basically means that an infected operating system becomes completely useless. Even though we mentioned that hackers might not be very interested in profits, they do require a fee for the decryption key. It costs 0.1 BTC which is not a very steep price. Nonetheless, there is no point in paying it (Ransomware: Is It Ever OK to Pay?).

Annabelle ransomware

Annabelle virus will also encrypt digital data with a static key. After files are damaged, they will feature .ANNABELLE extension at the end. After encoding is completed, the virus will forcefully reboot your computer. When the system launches, the computer system will be locked behind a screen-locked, featuring none other but the Annabelle doll itself. The lock-screen will also suggest the author of this “masterpiece”: iCoreXo812. As an additional feature, the infection will also replace the master boot record of the infected device.

While all of these features of Annabelle virus sound intimidating and sophisticated, it is not a very dangerous virus. Despite including all kinds of additional elements, hackers did base it on a Stupid ransomware virus. Therefore, victims can simply download the StupidDecryptor and restore the files that have been damaged. We have to admit that a lot of efforts and skills had to go into the making of this ransomware, but crooks did not manage to create a sophisticated infection like Locky or Cerber.

More about the decryption of files, ruined by Annabelle crypto-malware

In the ransom note, hackers ask for 0.1 BTC. According to the current exchange rates, this equals approximately one thousand dollars. Thankfully, there is no reason for victims to waste this sum on money because they can just download StupidDecryptor and recover their data. This saves people’s resources and also makes it easy for security specialists to help users.

In general, you should remember that not all ransomware victims are so lucky. Sometimes, detected viruses are so sophisticated that victims have no way of recovering their data for free. Therefore, we are hoping that you will back up your data.

How does this Annabelle ransomware spread?

Like most crypto-viruses, Annabelle ransomware could be spread in a number of ways. For instance, you could become infected after clicking on rogue online advertisement. In some cases, payloads are spread in malicious spam campaigns. It is important for you to never download files or programs from unknown sources. Even though an email message looks legitimate, check whether the email address belongs to the actual service. Since the tax season is slowly approaching, you might be tricked into downloading a rogue form.

If you want to be protected from malware, it is important to have an anti-malware tool. Programs like Spyhunter will protect you from all sorts of malicious programs. They are recommended by dozens of security researchers and you cannot go wrong with downloading them. After all, with some many computer viruses lurking on the Internet, you have to have a tool which would protect you.

How to recover Annabelle ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Annabelle ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Annabelle ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Annabelle ransomware. You can check other tools here.  

Step 3. Restore Annabelle ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Annabelle ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Annabelle ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *