A new ransomware family was discovered in a private peer-to-peer network earlier this month and has prompted researchers to issue a warning due to its modular capabilities. The ransomware, nicknamed Anatova, has already been detected in several hundred machines around the world.
Anatova Ransomware Displays Modular Capabilities
On the surface, Anatova runs just like any other ransomware family. Once the ransomware is prompted, it runs a few checks, encrypts files on the computer, and then demands 10 DASH coins, currently valued at $700. However, malware researchers from McAfee discovered Anatova comes with support for additional modules that could extend its capabilities, allowing it to become an all-in-one malware tool.
The possibility was discovered when a flag whose value determined the loading of two DLL files – named ‘extra1.dll’ and ‘extra2.dll.’ By making Anatova modular, the authors could use it to include a variety of capabilities that would take priority before running the typical file encryption process. Like the newly discovered GandCrab ransomware variant which includes an infostealer, Anatova could add the same capabilities as well as plant a backdoor or any other kind of malware.
Anatova Includes Anti-Analysis Processes
To further complicate matters for cybersecurity researchers, Anatova embedded a memory cleaning procedure that activates in certain scenarios. First, the malware checks the username of the logged in user. If the name matches one on an internal list, the ransomware deploys the cleaning process and exits. According to initial analysis, the list is quite short. However, it may protect it from being checked by less careful malware analysts.
Additional protection techniques deployed by Anatova include encrypting most of the strings and using different keys for decrypting them as well as heavy reliance on dynamic calls.
Anatova’s Encryption Process
To make the encryption process as quick as possible, Anatova targets files that are 1MB in size or smaller. This procedure avoids critical directories and files and does not append any extension to encrypted files. Furthermore, the ransomware sets pointers at the end of encrypted files, ensuring it does not encrypt files that are already encrypted. To further save time, a ransom note is only added to folders where at least one file is encrypted and will not overwrite an existing note.
The Start of an Evolution
While GandCrab was the first ransomware variant to add an infostealer to its arsenal, Anatova could prove to be the next step in the evolution of ransomware threats by incorporating functions that take advantage of the full spectrum of monetization possibilities. With Anatova, even if the victim does not pay the ransom, hackers will still be able to make money by stealing private information or selling access to the compromised station.
