MSIL/Annabelle.A!tr.ransom
Analysis
MSIL/Annabelle.A!tr.ransom is a detection for an Annabelle Ransomware trojan.
Below are some of its observed characteristics/behaviours:
- Affected files of this Ransomware will use the filenaming format {original name}.ANNABELLE.
- Affected files of some variants will use the filenaming format {original name}.annabellecreate.
- This malware attempts to pass hosts system firewall.
- This malware attempts to spread through USB drives to infect other computers.
- This malware attempts to delete Shadow Volume Copies.
- The following registry modifications are applied:
- HKCU\Software\Microsoft\Windows\Currentversion\Run
- updatebackup = %currentfile%
- HKLM\Software\Microsoft\Windows NT\Currentversion\Image File Execution Options\Taskmgr.exe
- Debugger = RIP
- HKCU\Software\Microsoft\Windows\Currentversion\Run
- After encrypting all the files, it will reboot the computer and when the user logs in, it will show the following locked screen:
- Figure 1: Ransom Notes.
- It replaces the master boot record of the infected computer so that it shows the following screen when the computer restarts.
- Figure 2: Ransom Notes.
- Some of the variants will show ransom note as below.
- Figure 3: Ransom Notes.
|
|
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |