Annabelle (ransomware)

Annabelle Ransomware
Annabelle Ransomware
Technical name	Ransom.MSIL.ANNABELLE
Authors	iCoreX0812
Technical details
Platform	Microsoft Windows
Written in	C#

Annabelle is a ransomware that, when ran, encrypts the users files using AES-256-CBC with a hardcoded key and IV.^[1] The ransomware will lock the users screen and attempt to gain persistence by overwriting the Master Boot Record and adding registry keys.^[2]

Operation

The ransomware was first discovered in the wild in early 2018, seen as a variant of Stupid Ransomware, which would encrypt the users files, attempt to shutdown security software including antivirus programs, EDRs, and firewall, spread through USBs with autorun.inf files, and then overwrite the Master Boot Record with a malicious version.^[3] After the operation is successful, it will reboot the computer and then show a ransom screen with the Annabelle doll from the film Annabelle demanding a ransom payment to decrypt files and a way to contact the creators, which is accredited to "iCoreX0812" with their Discord tag iCoreX#1337.^[4]^[5] They ask for a ransom payment of 0.1 Bitcoin (at the time it was discovered, Bitcoin was around an estimated USD$1000).^[6]

By researchers, it wasn't considered made for profit but more as a way to show off coding skills.^[7]

Responses

on March 8, 2018, the National Health Service released a cyber alert post about the ransomware, warning of its spreading vectors of random downloads and email spam.^[8]

References

^ Bajpai, Pranshu. Extracting ransomware's keys by utilizing memory forensics (Thesis thesis). Michigan State University. doi:10.25335/scj4-7751.
^ "Annabelle RANSOMWARE DECRYPTION TOOL" (PDF). No More Ransom. Retrieved 30 November 2025.
^ Abrams, Lawrence (21 February 2018). "The Annabelle Ransomware Is a Horrific Mess". Bleeping Computer. Retrieved 1 December 2025.
^ Admin (15 March 2018). "The Annabelle Ransomware - A true horror story?". BDRShield. Retrieved 1 December 2025.
^ Robinson, Teri (22 February 2018). "Annabelle ransomware a horror show for users". SC Media. Retrieved 1 December 2025.
^ "All You Need to Know about the Annabelle Ransomware Virus". The Driz Group. 27 February 2018. Retrieved 1 December 2025.
^ "Weekly Threat Briefs". FortiGuard. Fortinet. 2 March 2018. Archived from the original on 10 December 2023. Retrieved 1 December 2025.
^ "Annabelle Ransomware". NHS England Digital. Retrieved 1 December 2025.

[1] Bajpai, Pranshu. Extracting ransomware's keys by utilizing memory forensics (Thesis thesis). Michigan State University. doi:10.25335/scj4-7751.

[2] "Annabelle RANSOMWARE DECRYPTION TOOL" (PDF). No More Ransom. Retrieved 30 November 2025.

[3] Abrams, Lawrence (21 February 2018). "The Annabelle Ransomware Is a Horrific Mess". Bleeping Computer. Retrieved 1 December 2025.

[4] Admin (15 March 2018). "The Annabelle Ransomware - A true horror story?". BDRShield. Retrieved 1 December 2025.

[5] Robinson, Teri (22 February 2018). "Annabelle ransomware a horror show for users". SC Media. Retrieved 1 December 2025.

[6] "All You Need to Know about the Annabelle Ransomware Virus". The Driz Group. 27 February 2018. Retrieved 1 December 2025.

[7] "Weekly Threat Briefs". FortiGuard. Fortinet. 2 March 2018. Archived from the original on 10 December 2023. Retrieved 1 December 2025.

[8] "Annabelle Ransomware". NHS England Digital. Retrieved 1 December 2025.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

Operation

Responses

See also

References