- The Anatova ransomware leverages the icon of a game or an application to trick users into downloading it.
- The ransomware includes an anti-analysis routine that gets triggered only under specific conditions.
A new ransomware family tracked as ‘Anatova’ has been spotted by security researchers recently. Infections with the ransomware have been observed all over the world, most of them being in the United States, followed by some countries in Europe.
Propogation and capabilities
The Anatova ransomware leverages the icon of a game or an application to trick users into downloading it. The goal of the malware is to encrypt all or many files on an infected system and demand ransom to unlock them.
According to a report from McAfee researchers, the attackers can use the ransomware to demand a ransom of up to $700 from a victim.
“The actor(s) demand a ransom payment in cryptocurrency of 10 DASH – currently valued at around $700 USD, a quite high amount compared to other ransomware families,” said McAfee researchers in a detailed analysis report.
The ransomware includes an anti-analysis routine that gets triggered only under specific conditions. Apart from this, its extended capabilities allow it to become an-all-in one malware tool.
By making Anatova, its authors aim to perform various other nefarious activities other than collecting money. The ransomware’s other capabilities include collecting sensitive data and planting a backdoor.
Anatova's anti-analysis process
Once launched, the ransomware first checks the username of the logged in user and compares with a list of names encrypted. If the name matches with a list of names encrypted, the ransomware deploys the cleaning process and exits. The list of users searched are LaVirulera, tester, Tester, analyst, Analyst, lab, Lab, Malware and, malware.
“Some analysts or virtual machines/sandboxes are using these default usernames in their setup, meaning that the ransomware will not work on these machines/sandboxes,” said McAfee.
Anatova ransomware destroys the Volume Shadow copies ten times in a row in order to eliminate the possibilities of recovery of files from an infected system.
It targets files that are 1MB in size or smaller to make the encryption process quick. Once encrypted, these files are not appended with any specific extension.
Unlike other ransomware, it adds the ransom note only to the folder where it encrypted at least one file.