Modular Anatova ransomware encrypts data as quickly as possible before detection

The new malware is being propagated on P2P networks, and demands a ransom equivalent to $725 USD, according to McAfee Labs.

Cryptojacking: The evolution of ransomware

A new ransomware family is now being propagated on private P2P file sharing networks, according to a report from McAfee Labs released on Tuesday. The ransomware, called Anatova, is designed to support modules that can be executed prior to the encryption of files on the potential victim's computer.

The sample analyzed by McAfee contains a compile date of January 1, 2019, making it a relatively new attack type. The file size of the variant analyzed is 307 KB, "but it can change due to the amount of resources used in the sample. If we remove all these resources, the size is 32 KB; a very small program with a powerful mechanism inside," Alexandre Mundo, the security researcher who discovered the ransomware, wrote in the report.

SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)

As is common to malware families, Anatova uses a variety of methods to prevent analysis, with memory cleaning functions and refusing to run after checking the username of logged-in user. The strings inside the program are encrypted with different keys, and calls made in the program are dynamic, and use typical Windows APIs and C standard library components.

Anatova is seen most often in the United States, Belgium, Germany, and France. Though some infections were detected in Russia, the malware is designed to exclude targets in member countries of the Commonwealth of Independent States, including Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Armenia, Moldova, Russia, Tajikistan, and Uzbekistan, as well as Syria, Egypt, Morocco, Iraq, and India, according to the report.

When activated, Anatova identifies active processes and stops those on a blacklist, such as the Steam game client or Microsoft SQL server to prevent files from being write-locked during encryption. Following this, it encrypts files using Salsa20, skipping EXE, DLL, and SYS files, as well as folders such as "Windows" and "Program Files" belonging to Windows. It also encrypts only files smaller than 1 MB to avoid becoming stuck on large files.

Anatova demands a ransom of 10 DASH, which is presently around $725 USD. It inserts a ransom note in folders in which it successfully encrypted files, offering a sample decryption of a JPEG file to prove the files can be decrypted. It also traverses the network in an attempt to encrypt files on network shares.

For tips on how to avoid ransomware attacks, check out this TechRepublic story.

The big takeaways for tech leaders:

  • The Modular Anatova ransomware sample analyzed has a build date of January 1, 2019, making it likely the first new ransomware family of the year.
  • Anatova demands a ransom of 10 DASH, which is presently around $725 USD.

Also see

SIphotography, Getty Images/iStockphoto