Imagine a ransomware that can get past your endpoint protection, disable Windows Defender, shutdown the host firewall, connect to USB drives, disables access to various executables, encrypts your files and plants its own master boot record and its own boot loader. Not cool, right? How about if it were done just for kicks?

Some ransomware may want to extort your cash (or crypto, as it were), but this new brand just wants to scare the crap out of you – and it will. Apparently, simply to prove that it can.

Hello Next-Gen Malware

Annabelle Ransomware, as it exists today, does a number on endpoints. Of course it does, it’s supposed to scare you.

What does it do and how does it do it? Well, let’s step through how this insidious piece of malware will try to give you nightmares.

Action 1: By terminating numerous security programs, disabling Windows Defender, turning off the firewall, encrypting your files, trying to spread through USB drives, making it so you can’t run a variety of programs. (first goosebumps appear)

Action 2: It overwrites the master boot record of the infected computer with a mocking bootloader just to get under your skin. (you are visited by your first apparition)

Action 3: Annabelle does some stuff that’s particularly cute (in a nightmarish way), like configuring itself to start automatically when a user logs in to their infected Windows instance. Then it terminates a variety of programs such as Process Hacker, Process Explorer, Msconfig, Task Manager, Notepad++, Notepad, Internet Explorer, Chrome, Opera, bcdedit, etc. (is that noise coming from under your bed?)

Action 4: By spreading more than charms across the network, this ransomware will then try to use autorun.inf files. However, this propagation method is useless when it comes to newer versions of Windows that do not support an autoplay feature. (you think you can make it out safe)

Action 5: Now that the PC is mostly Pwned, it will start encrypting the computer with a static key and it will append the .ANNABELLE extension to the encrypted file’s name. (you start to run, but keep falling down)

Action 6: In a truly adding insult to injury fashion, the computer is rebooted and when the user logs in, a fancy lock screen is displayed, it almost makes you WannaCry. (the moment you realize there is no escape, decent into madness follows)

The lock screen has a credits button that when clicked shows the below screen that states a developer named iCoreX0812 made the program and a way to contact them on Discord.

As a final slap in the face, the hacker developer added code that replaces the master boot record of the infected computer, so that it displays a brag screen when the computer restarts. The image will appear blurry through your tears.

MBR Lock Screen

OK, so what’s the good news? Mainly, this ransomware was built to show off the developer’s skills rather than to demand ransom payments. The bad news is that this shows off just how much heavy duty pain this stuff could inflict while being easily decryptable.

What’s the lesson here?

Well, let’s assume Annabelle manages to get past your EPP solution. It still needs to come into the network somehow and it should be detectable at this point (I say “should”, more on that later). Let’s say it rides in on a dirty USB drive. Fine, then as it opens itself and attempts to spread, it must be detected now before it’s too late. Oh wait, you didn’t build that sort of inspection into your architecture? You’ll wish you did.

Security minded IT folks should already have implemented or at least investigated the concept of a “Zero-Trust” network architecture approach as means to mitigate such an attack. One very important concept within that architecture approach is “All Traffic Inspection”, enabling security platforms, such as SIEM, to be made aware of nefarious things like Ransomware spreading in the network, so that automation technologies can deal with the emerging threat. Security teams will quickly be made aware and work on containment and remediation. Don’t have that ability? It could be a career-limiting moment. Better luck at your next job, now you know.

Moral of the story: You cannot stop a threat that you cannot see.

Full traffic inspection, coupled with security platform integration empowered by automation technologies with robust alerting and reporting capabilities, can stop these things from taking over. The underlying message here is prevention is less about absolutely stopping an exploit event from taking place at all and more about detecting that it’s happening, so you can respond swiftly. You can do this. Most likely, the points of integration may already exist in your shop. You just need a plan (and skills) to execute.

We’ll talking about such strategies at a live cybersecurity panel discussion we are hosting on May 17th in NYC at the Liberty. In addition to myself, we’ll have experts from LogRhythm, Juniper Networks & A10 Networks on hand to discuss how to deploy a cybersecurity framework that protects your data assets from threat actors.