Pierluigi Paganini January 26, 2019

Security experts at McAfee have discovered a new malware, dubbed Anatova ransomware, that has been spotted infecting computers worldwide

The name Anatova is based on a name in the ransom note that is dropped on the infected systems.

The Anatova ransomware outstands for its obfuscation capabilities and ability to infect network shares, it has a modular structure that allows adding new functions to the malware.

“During our continuous hunt for new threats, we discovered a new ransomware family we call Anatova (based on the name of the ransom note). Anatova was discovered in a private peer-to-peer (p2p) network.” reads the analysis published by McAfee.

Malware experts from McAfee discovered the Anatova ransomware on a private peer-to-peer network.
Anatova uses the icon of a game or application to trick victims into download and execute it.

The malware uses a manifest to request admin rights, it implements multiple efficient protection techniques against static analysis, it makes a few checks to avoid running in a sandbox.

The malware demands $700 in ransom to decrypt the data.

The largest number of infections was observed in the United States, followed by Germany, Belgium, France, and the UK. It is interesting to note that the malware doesn’t infect systems from a list of the countries that includes all CIS countries, Syria, Egypt, Morocco, Iraq, and India.

“It’s quite normal to see the CIS countries being excluded from execution and often an indicator that the authors might be originating from one of these countries.” continues the experts. “In this case it was surprising to see the other countries being mentioned. We do not have a clear hypothesis on why these countries in particular are excluded.”

The ransomware looks for files that are smaller than 1 MB and avoid encrypting files of the operating system. Anatova also checks for network shares, this is particularly dangerous in large organizations because a single infection can cause severe problems to several systems in the company network.

Each Anatova sample uses its own key, this implies that there’s no master key available that could be used to decrypt all victims files.

After encrypting the files, the ransomware will clean the memory of the key, IV, and private RSA key values, to prevent anyone dumping this information from memory and use it to decrypt files.

“When all this is done, Anatova will destroy the Volume Shadow copies 10 times in very quick succession. Like most ransomware families, it is using the vssadmin program, which required admin rights, to run and delete the volume shadow copies.” states McAfee.

According to McAfee, the Anatova ransomware was developed by skilled vxers, the researchers believe it is a prototype being tested and has the potential to become a serious threat.

Additional details, including IoCs. are reported in the analysis published by McAfee.

Pierluigi Paganini

(SecurityAffairs – Anatova ransomware, cybercrime)

[adrotate banner=”5″] [adrotate banner=”13″]