How to remove Annabelle virus and restore encrypted files

Annabelle ransomware virus

This entry is dedicated to Annabelle virus which gets onto customers' PC around the world, and cyphers the data. In this entry we've gathered complete information about what is Annabelle, and the uninstalling of Annabelle from the laptop. Besides, we'll explain how to get back the cyphered data, if possible.

Annabelle ransomware had infected thousands of laptops around the world with help of most effective method: false e-mails with dangerous attachments. Also, web-criminals use zero-day vulnerabilities to take control over the PC, but they are speedily corrected. After the infection, Annabelle examines the PC memory, determines the quantity of folders for encryption and their approximate price. At the moment, any new virus is able to encrypt video, audio, text and image information in all most used formats. Virus cyphers all files, but those that could be business correspondence go first. All software in the system will be unaffected because fraudsters want only information. Encryption is executed with the help of well-known AES and RSA algorithms, and it is so complex that that decipherment of data without a key is impossible. This is the foundation for unbelievable success of this kind of viruses in last years: common user, even having a fairly high knowledge of the PC, won't ever restore the data, and will be forced to pay the price. The single manner to restore the data is to crack the scammer's site and retrieve the encryption keys. Also there's a chance to withdraw these keys through flaws in viruse's program code.

For any types of computer viruses, one statement is correct: it is way simpler to dodge it than to cure it. For encrypting programs it's very important, as, unlike normal dangerous programs, after uninstalling ransomware from the computer, the fruits of its actions will stay. To shield yourself, you have to understand these three elementary regulations:

    • Don't accept any alterations to your computer, coming from strange software. If the system is penetrated by ransomware, it will seek to remove the shadow copies of the files, to make the recovery less possible. Anyway, deletion of shadow copies needs administrator rights and user's confirmation. The moment of thought before verifying the pop-up might save your files and your time.
    • Keep an eye on the condition of your PC. It needs a lot of hardware resources to encrypt the data. In the first seconds of infection, the CPU performance decreases, and the encryption process appears in Process Manager. You may recognize this moment and switch off the workstation before files will be fully damaged. These measures, in case of penetration, will protect some of your data.
    • Attentively inspect your emails, specifically those messages which have attached files. If such a letter comes from an unknown sender and it is about obtaining some prize, a lost parcel or something like that, this is most likely ransomware. You also should be attentive with business correspondence, especially if the sender's address and the content is unknown. Bills for services and products, appeals, summaries, lawsuits and other important documents do not come without warning, and the receiver should know the person who sent it. In all other cases it is a fraud.

Ransomware elimination isn't the happy end - it's just a one turn from many before the complete data restoration. To decrypt the files you will have to follow the instructions in the special section of our article. In case of encrypting virus we don't give the hand uninstall instruction, because its complication and the likeliness of errors appears to be too high for regular user. High class viruses can't be uninstalled even through antivirus-program, and have many efficient mechanisms of defense. Some encrypting viruses can completely erase corrupted data, or some of it, if somebody attempts to delete the virus. This is extremely unwanted, and the below part will help you to avoid it.

Removal instruction

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Antivirus scanner

Why we recommend SpyHunter antimalware as removal tool

Removes virus fully: all files and even registry keys of malware will be deleted

Protects your system in the future

24/7 free support team

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

After deleting Annabelle from the computer, user has to decrypt the encrypted data. We won't try to reverse the encryption, but we'll recover them via Windows functionality and the particular programs. Usually, to restore the data, the victim has to seek help on anti-malware forums or from well-known ransomware fighters and antivirus software manufacturers. If you're more interested in the by-hand information restore - read this article, which shows all the very effective ways.

To restore information, follow the article about files decryption.

Add comment

Security code

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.