.ANNABELLE Files Virus – How to Remove and Restore Data

.ANNABELLE Files Virus – How to Remove and Restore Data

This article has been created in order to help you by showing you how to remove the .ANNABELLE files virus from your computer and how to restore files encrypted by it completely.

The .ANNABELLE files virus is yet another horror movie – based ransomware infection which aims to encrypt the files on the computers of victims in order to demand a hefty ransom fee from it’s victims to pay in return for their files. The ransomware infection’s primary purpose is to also perform numerous other activities, which aim to disable a lot of tools on Windows to deny access by the user. The virus also displays it’s ransom screen as a lockscreen, which has a scary Annabelle message, that asks victims to pay the ransom, threatening them that their files will be deleted if they don’t pay the ransom. In the event that your computer has been infected by the .ANNABELLE ransomware virus, it is important that you follow the instructions down below.

Threat Summary

Name.ANNABELLE Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the infected computers by it and ask a ransom payoff in BitCoins to decrypt the files of victims.
SymptomsThe files on the victim’s computer are encrypted with an added file suffix .ANNABELLE and the screen displays a horrific image of Annabelle,the horror movie which came out back in 2014.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .ANNABELLE Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .ANNABELLE Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Update! Researchers have managed to discover that .ANNABELLE ransomware is a variant of the ransomware virus, known as “Stupid”, which is decryptable and have updated the decrypter for it to decode .ANNABELLE files for free. You can follow these instructions to decrypt your files without paying ransom.

.ANNABELLE Files Virus – How Does It Infect

The primary method of infection, which is used by the cyber-criminals who are behind this ransomware infection has been reported to be conducted via e-mail spam messages that are sent out to victims and may contain either a malicious e-mail attachment or a malicious web link embedded within them. These e-mails have various different types of deceitful messages accompannying them as well, the preten as if they come from well-recognized companies from the likes of PayPal, Amazon or other big companies, like the example malicious spammed e-mail below demonstrates:

In addition to malicious e-mail spam messages, other methods of infection may also include using malicious files that are masked as legitimate ones and uploaded on various different websites, such as:

  • Fake program installers.
  • Fake game patches or cracks.
  • Fraudulent key generators.
  • Fake software license activators.

.ANNABELLE Files Virus – Malicious Activity

The primary malicious activity of this ransomware infection is to drop it’s malicious file on your computer after it infects it. The files may be located in the following system folders in Windows and the main malicious file is an .exe file, which causes the initial infection. The folders in which the payload may be dropped are the following:

  • %Windows%
  • %System%
  • %System32%
  • %Temp%
  • %AppData%
  • %Local%
  • %LocalLow%

In addition to this ,the .ANNABELLE ransomware virus aims to perform various different types of modifications on the computer of the victim, such as delete the backups and the shadow volume copies in it. This is achievable by executing the following commands as an administrator on the victim PC:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

The primary and most noticable activity of the .ANNABELLE ransomware virus, besides encrypting the files on your computer is to display it’s ransom nore, which looks like the following:

Text from image:

“What happenned to my files?

All your files are encrypted and secured with a strong key. There is no way to get them
back without your personal key.

How can I get my personal key?

Well, you need to pay for it. You need to visit one of the special site below & then you need to
enter your personal ID [you find it on the top] & buy it. Actually it costs exactly 0.1 Bitcoins.

How can I get access to the site?

You easily need to download the Torbrowser, you can get it from this site:

What is going to happen if I’m not going to pay?

If you are not going to pay, then the countdown will easily ran out and then your system will be broken. If you are going to restart than the countdown will ran out much faster.”

In addition to this, the ransomware infection also uses the following image to further stress it’s victims:

.ANNABELLE Ransomware – Encryption Process

In order to encrypt the files on the victim’s computer, .ANNABELLE files virus may use different strategies that can make it perform the encryption only on your important files while avoiding Windows system files that may damage your PC. The malware attacks primarily files that are often used, like:

  • Documents.
  • Videos.
  • Images.
  • Music.
  • Audio files.
  • Archives.

After doing so, the .ANNABELLE ransomware virus may encrypt portions of the original files, enough to make them no longer able to be opened and in addition to this, add the .ANNABELLE file suffix to them, making them appear possibly like the image below shows:

To addition to this, the .ANNABELLE files virus also has a purpose to lock your screen, to scare you off into not resetting your computer. However, we recommend that you not panic and act quickly towards removing this ransomware from your PC and restoring files that have been encrypted by it.

Remove .ANNABELLE Ransomware and Restore Encrypted Files

The .ANNABELLE ransomware can be removed either manually or automatically, if you follow the removal instructions down below. They are created so that they can help you focus on removing the malware after isolating it in Safe Mode. If manual removal is not helpful for you, experts strongly recommend to follow the automatic removal instructions and download an advanced anti-malware software, which will make sure that this virus is removed fully and your PC stays protected against future infections as well.

In addition to this, if you want to restore files that have been encrypted by .ANNABELLE files virus, we would suggest that you check our suggestions for recovering data in step “2. Restore files encrypted by .ANNABELLE Files Virus”. They are specifically created to help you, although they are not guaranteed that you will be able to recover all of your encrypted files.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share