This new and sophisticated malicious software is able to bypass the best security measures
A new ransomware
family discovered at the beginning of 2019 has generated alarm among the cybersecurity
community due to its apparent modular features and its well-developed coding
techniques, report specialists in network security and ethical hacking from the
International Institute of Cyber Security. McAfee
researchers have dubbed this ransomware as ‘Anatova’.
Although it has not even been a month since it
was identified, Anatova ransomware has already infected hundreds of computers
around the world, report network
security specialists. According to the research, the countries with the
most Anatova infections so far are the United States, Germany, France and
Belgium.
The malware expert Alexandre Mundo claims that
Anatova is hidden using the icon of a game or application for the victim to
download the malicious software. If downloaded, installed and executed, Anatova
is capable of encrypting the files in the compromised machine; in addition to
that it can encrypt files in shared networks, an especially dangerous scenario
for larger organizations.
According to specialists in network security,
the Anatova ransomware uses the algorithm Salsa20 for encryption, leaving aside
files of less than 1 MB to attack large companies in a smaller window of time.
The ransom demanded by the criminals consists of 10 units of Dash
cryptocurrency, whose value is currently around $700 USD each.
In his report, Mundo mentions: “According to
what we know so far, the developers behind Anatova must be highly qualified
hackers; each malware sample contains a unique key of its own, among other
features that are not frequently found in other ransomware families”.
The researchers noticed that Anatova looks for
a flag with a value capable of activating the loading of two additional DLLs. “This
might indicate that Anatova is ready to be modular, or it could be an
indication that developers will integrate other functions into the code in the
future”, says Mundo.
In addition, the ransomware bypasses the
analysis through a series of defensive tactics. It can, for example, encrypt
most of its strings, using multiple decryption keys embedded in the executable
file. It even has a black list of usernames, where it looks for terms like
‘tester’, ‘malware’, or ‘analyst’; if Anatova finds similar terms in the username,
it simply does not run.
Finally, the ransomware is able to clean any
record of the machine’s memory in order to avoid downloading information that
could be useful to develop programs to eliminate the encryption.
The researchers emphasize that Anatova was
designed not to translate devices located in the Commonwealth of Independent
States (CIS) countries, as well as some territories in Asia; sometimes this
could provide the on the authors of malicious software, although it is not a
rule that is fulfilled without exception.
