New Anatova Ransomware Supports Modules for Extra Functionality

A new ransomware family popped on the radar of analysts, who see it as a serious threat created by skilled authors that can turn it into a multifunctional piece of malware.

Infections with Anatova have been reported all over the world, most of them being in the United States, followed by countries in Europe (Belgium, Germany, France, the UK).

The ransomware includes an anti-analysis routine that gets triggered under certain conditions. Once launched, the ransomware asks for admin privileges, runs a few checks and then encrypts files on the computer and then demands 10 DASH coins, currently valued at $700.

Modular architecture

Malware researchers from McAfee discovered Anatova in a private peer-to-peer network where it uses an icon for a game or an application to lure users into downloading it.

They found that the new ransomware comes with support for additional modules that could extend its capabilities, allowing it to become an all-in-one malware tool.

The clue pointing to this possibility was a flag whose value determined the loading of two DLL files named ‘extra1.dll’ and ‘extra2.dll.’ “This might indicate that Anatova is prepared to be modular or to be extended with more functions in the near future,” the researchers say in a report.

By making Anatova modular, its authors could use it to include all sorts of capabilities that would take priority before running the file encryption routine. They could collect sensitive information, plant a backdoor, or other types of nasties.

Anti-analysis process

Anatova tried to make the ransomware more resilient to analysis attempts by embedding a memory cleaning procedure that activates in certain situations.

Among the first actions it takes is to check the username of the logged in user. If the name is a match with one on an internal list, the ransomware deploys the cleaning process and exits.

Although the list of names Anatova checks is short, it may protect it from being checked by less careful malware analysts.

It includes the following strings: ‘LaVirulera,’ ‘tester,’ ‘Tester,’ ‘analyst,’ ‘Analyst,’ ‘lab,’ ‘Lab,’ ‘Malware,’ and ‘malware.’

According to McAfee, these names are the default choices when setting up a virtual machine or a sandbox environment or they are regularly used by some malware analysts.

Additional protection techniques are encrypting most of the strings and using different keys for decrypting them and heavy reliance on dynamic calls.

Anatova seems to be a new player on the ransomware market, as the analyzed sample came with a compilation date of January 1, 2019.

The ransomware packs quite a punch for a package of just 32KB, excluding resources. It encrypts files using the Salsa20 algorithm and extends this process to available network-shares.

To eliminate file recovery possibilities from the infected machine, Anatova destroys the Volume Shadow copies ten times in a row. For this, it uses the ‘vssadmin’ utility, which needs admin rights.

Encrypted files get no special extension

To make the encryption process quick, Anatova targets files that are 1MB in size or smaller. This procedure avoids critical directories and files and does not result in files with a different extension.

“By setting pointers at the end of the encrypted files, Anatova makes sure that it does not encrypt files that are already encrypted,” explain the researchers.

Unlike other ransomware pieces, this one adds the ransom note only to folders where it encrypted at least one file. Also, it will not overwrite an existing note, most likely to save time.

One peculiarity Lawrence Abrams of internetnewsblog observed while testing the ransomware multiple times was that it crashed Windows File Explorer.

Anatova could prove to be a next step in the evolution of the ransomware threat by incorporating functions that take advantage of the full spectrum of monetization possibilities. This way, even if the victim does not pay the ransom, the criminals will still be able to make some money by stealing private and sensitive information, or selling access to the compromised station.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top