Anatova ransomware strikes: researchers warn it might be devastating

Sophisticated malware poses as an icon for a game or other software, making victims to click without thinking

Security researchers discovered a new string of malware with sophisticated anti-analysis techniques and and module functionality

McAfee researchers recently published a detailed report^[1] about a new cyber threat that possesses sophisticated modular capabilities and advanced obfuscation techniques, created by experienced hackers. The multifunctional malware, dubbed Anatova ransomware,^[2] was seen striking users all over the world, including Belgium, Germany, France, UK, Russia, and others, but most infections were observed in the United States.

The ransomware was discovered on peer-to-peer networks by independent security experts.^[3] It is usually disguised as an icon of a video or another program, which prompts users to install malware without even realizing it.

After the infiltration, Anatova encrypts personal files with the help of a robust encryption algorithm and demands a ransom of 10 DASH (approx. $700) for the decryptor. Additionally, ransomware can spread to all connected networks and perform malicious activities as well, which can result in devastating consequences to organizations and businesses.

McAfee's researchers reported on the threat due to its uniqueness, as well as the fact that it might become a prominent threat in the future:^[4]

The developers/actors behind Anatova are, according our assessment, skilled malware authors. We draw this conclusion as each sample has its own unique key, as well as other functions we will describe, which we do not often see in ransomware families.

Several checks are made before Anatova begins the infection

Before proceeding with the infiltration, Anatova first checks the login username of the computer owner. If the name matches the one on a predetermined list, the malware leaves without leaving any traces. The list includes words like “LaVirulera,” “tester,” “analyst,” “lab,” “malware,” which reveals that the developers do not wish the malware to be checked by researchers.

Next, malware will check the language of the machine. It will not infect users from the following countries:

• The Commonwealth of Independent States (CIS countries)^[4]
• Syria
• Egipt
• Morocco
• Iraq
• India

The CIS countries formed after the collapse of the Soviet Union, and it is not uncommon to see criminals excluding these countries – it most likely shows that criminals are coming from there. However, it is yet unknown why the additional countries are included as well.

Anatova is most likely to evolve due to its enhanced capabilities

Two most alarming features of the threat, according to experts, is the anti-analysis aspect, as well as the ability to evolve with the help of its modular architecture.

Malware protects its strings with the Unicode and Ascii encryption, requiring different keys for the execution. These keys are hidden within the executable itself. Additionally, the malware uses trusted Windows API's and typical programming language for GetModuleHandleW, LoadLibraryW, GetProcAddress, ExitProcess, and MessageBoxA.

Under certain conditions, the malware would load “extra1.dll” and “extra2.dll,” which indicates that the Anatova virus is ready to be enhanced with additional capabilities and functions.

Finally, ransomware shuts down several running processes, encrypts files using Salsa 20^[5] cipher (avoiding all files above 1MB in size, as well as system files) and drops a ransom note in each of the affected folders. Lastly, Anatova cleans the device from all the key value data, preventing researchers from creating a decryption tool.