According to a McAfee Labs blog post, a new family of ransomware, nicknamed Anatova has been detected in several hundred machines across the world, despite being compiled on the 1st of January.
It is mostly spread in USA, but it also appears to hit UK, France, Belgium and Germany. Anatova is prevented from working in Syria, Egypt, Morocco, Iraq, India and CIS countries. The ransomware was found in a private peer-to-peer network and got an immediate attention from the researchers due to sophisticated coding and decent anti-analysis techniques.
Alexandre Mundo, the author of the blog post, states that malware disguises itself as a trustworthy application, borrowing its icon, to lure people into downloading it. After being downloaded Anatova encrypts files on user’s machine, while also attempting to encrypt files on network shares – a fatal scenario for giant organizations.
The ransomware uses Salsa20 encryption algorithm. The general algorithm idea is to deal damage to the larger file assets, while ignoring the small ones (less than 1 MB). To get the encrypted files back, users have to pay a ransom of 10 Dash coins (~700 $).
Researchers told that Anatova developers are skilled ransomware writers, since this ransomware has a few unique quirks such as each sample having its own unique key as well as the other functions.
It was also discovered that Anatova checks a certain flag value that can trigger the loading of two extra DLL files. This might mean that the ransomware will have even more functions in future. Anatova protects itself from analysis by encrypting most of its strings with multiple decryption keys embedded in the executable. Ransomware also checks victim’s active username to avoid ones containing words “tester”, “analyst” and “malware”. The other ransomware function is cleaning computer’s memory of any key value to prevent the creation of decryption program.
Anatova makes a memory buffer of a memory with all encrypted information (Salsa20 key, Salsa IV and private RSA key). It makes a big string in BASE64 using the function “CryptBinaryToStringA”. Then, the ransomware cleans the computer of the key values, thus preventing anyone dumping information and creating a decrypter. Victims are allowed to decrypt one file as a proof of being able to retrieve the files.