Modular “Anatova” Ransomware Resists Analysis

Security researchers are warning of a newly discovered and highly sophisticated strain of modular ransomware featuring special capabilities to resist analysis.

Dubbed “Anatova” by McAfee, the malware has been detected across the globe, in the US, UK, Russia, Italy, Sweden and beyond. It was discovered in a private P2P network, using a game or application icon to trick users into downloading it.

Compiled on January 1 this year, Anatova is believed to have been created by “skilled malware authors.”

Each sample analyzed by McAfee had its own unique key, a rarity in the ransomware world, and featured strong protection against static analysis.

Most strings are encrypted, using different keys to decrypt them, and 90% of calls are dynamic and use only standard Windows APIs and C- programming, the vendor claimed. The malware also initiates a memory cleaning procedure if it comes across one of a list of usernames commonly used by virtual machines/sandboxes.

Files are encrypted via Salsa20 and the malware will also hunt down any files on network shares, with 10 DASH coins ($700) demanded in return for decryption.

“Finally, when all steps are completed, the ransomware will follow the flow of cleaning code…mainly to prevent dumping memory code that could assist in creating a decryption tool,” McAfee explained.

The ransomware is modular in architecture, leading to speculation that its authors could package these capabilities up with information-stealing or other functionality to improve the chances of monetizing attacks.

The findings highlight the fact that ransomware remains a major threat to organizations, despite more publicity being focused on crypto-mining in 2018.

Earlier this month the Texan city of Del Rio warned that it had been hit by a major ransomware-related outage.

Europol last year warned that ransomware would be a top threat to businesses for years to come.