What Is It?

Researchers at McAfee have detailed their discovery of a new piece of ransomware they named Anatova. What makes Anatova different is the apparent level of skill of the authors and the code’s modular design. The authors clearly placed a value on the level of effort they expended as the cybercurrency ransom is 10 Dash coins (current value is approximately US$720). Researchers noted infections occurring in the United States, Belgium, Germany, France and several other European countries.

The core of the Anatova malware, a 64-bit Windows executable, is a mere 32KB. When executed, Anatova loads two DLLs stored as resources. This modular design leads the researchers to believe that future versions may utilize different DLLs to add extra functionality beyond purely encryption of data files. These functions could include information and credential stealing, creating a persistent backdoor or adding self-propagation capabilities.

The authors have optimized Anatova to perform its primary function to encrypt data files as efficiently and quickly as possible. For instance, Anatova will only encrypt files that are 1MB in size or smaller and adds a flag to the file so it will not be re-encrypted. The flag is necessary as Anatova doesn’t change the file name or file extension of encrypted files. The Salsa20 encryption algorithm is used as it is very fast. Additionally, the malware will not rewrite the ransom note if it already exists in a directory to save more time. As is now common place, Anatova will terminate the processes associated with various databases, document editors and games, allowing it to encrypt the maximum number of data files. Anatova is capable of encrypting files on a network and on removable drives connected to the infected system.

Anatova malware utilizes various techniques in order to attempt to avoid detection and to make analysis and reverse engineering efforts more difficult. As many pieces of malware do, it will not execute if the system language is one used by countries in the Eastern European Commonwealth of Independent States. However, Anatova also adds Syria, Egypt, Morocco, Iraq and India to this list. It will also not execute if the username matches any on an encrypted list of usernames commonly associated with malware analysis, such as analyst, lab and malware.

Almost all of the strings used are encrypted, using different keys, slowing down analysis and potentially making the malware appear less malicious to legacy detection products. Similarly, almost all of the external calls made are done dynamically. Therefore, potentially suspicious calls are not immediately visible when analyzing the code, again making Anatova appear less malicious.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The researchers found these samples on a private P2P (peer-to-peer) network, where it uses the icon of a game or application in order to convince potential victims into downloading it. If Anatova is to be distributed more widely, the most common attack vector for most ransomware is social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

There are five publicly available samples listed and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 30 months prior to their release.