The name Anatova is based on a name in the ransom note that is dropped on the infected systems.
The Anatova ransomware outstands for its obfuscation capabilities and ability to infect network shares, it has a modular structure that allows
“During our continuous hunt for new threats, we discovered a new ransomware family we call Anatova (based on the name of the ransom note). Anatova was discovered in a private peer-to-peer (p2p) network.” reads the analysis published by McAfee.
Malware experts from McAfee discovered the Anatova ransomware on a private peer-to-peer network.
Anatova uses the icon of a game or application to trick victims into download and execute it.
The malware uses a manifest to request admin rights, it implements multiple efficient protection techniques against static analysis, it makes a few checks to avoid running in a sandbox.
The malware demands $700 in ransom to decrypt the data.
The largest number of infections was observed in the United States, followed by Germany, Belgium, France, and the UK. It is interesting to note that the malware doesn’t infect systems from a list of the countries that includes all CIS countries, Syria, Egypt, Morocco, Iraq, and India.
“It’s quite normal to see the CIS countries being excluded from execution and often an indicator that the authors might be originating from one of these countries.” continues the experts. “In this
The ransomware looks for files that are smaller than 1 MB and avoid encrypting files of the operating system. Anatova also checks for network shares, this is particularly dangerous in large organizations because a single infection can cause severe problems to several systems in the company network.
Each Anatova sample uses its own key, this implies that there’s no master key available that could be used to decrypt all victims files.
After encrypting the files, the ransomware will clean the memory of the key, IV, and private RSA key values, to prevent anyone dumping this information from memory and use it to decrypt files.
“When all this is done, Anatova will destroy the Volume Shadow copies 10 times in very quick succession. Like most ransomware families, it is using the
According to McAfee, the Anatova ransomware was developed by skilled vxers, the researchers believe it is a prototype being tested and has the potential to become a serious threat.
Additional details, including IoCs.
(SecurityAffairs – Anatova