Anatova: The new ransomware infecting hundreds of devices around the world

The KimcilWare Ransomware targets web sites running the Magento Platform

This new and sophisticated malicious software is able to bypass the best security measures

A new ransomware family discovered at the beginning of 2019 has generated alarm among the cybersecurity community due to its apparent modular features and its well-developed coding techniques, report specialists in network security and ethical hacking from the International Institute of Cyber Security. McAfee researchers have dubbed this ransomware as ‘Anatova’.

Although it has not even been a month since it was identified, Anatova ransomware has already infected hundreds of computers around the world, report network security specialists. According to the research, the countries with the most Anatova infections so far are the United States, Germany, France and Belgium.

The malware expert Alexandre Mundo claims that Anatova is hidden using the icon of a game or application for the victim to download the malicious software. If downloaded, installed and executed, Anatova is capable of encrypting the files in the compromised machine; in addition to that it can encrypt files in shared networks, an especially dangerous scenario for larger organizations.

According to specialists in network security, the Anatova ransomware uses the algorithm Salsa20 for encryption, leaving aside files of less than 1 MB to attack large companies in a smaller window of time. The ransom demanded by the criminals consists of 10 units of Dash cryptocurrency, whose value is currently around $700 USD each.

In his report, Mundo mentions: “According to what we know so far, the developers behind Anatova must be highly qualified hackers; each malware sample contains a unique key of its own, among other features that are not frequently found in other ransomware families”.

The researchers noticed that Anatova looks for a flag with a value capable of activating the loading of two additional DLLs. “This might indicate that Anatova is ready to be modular, or it could be an indication that developers will integrate other functions into the code in the future”, says Mundo.

In addition, the ransomware bypasses the analysis through a series of defensive tactics. It can, for example, encrypt most of its strings, using multiple decryption keys embedded in the executable file. It even has a black list of usernames, where it looks for terms like ‘tester’, ‘malware’, or ‘analyst’; if Anatova finds similar terms in the username, it simply does not run.

Finally, the ransomware is able to clean any record of the machine’s memory in order to avoid downloading information that could be useful to develop programs to eliminate the encryption.

The researchers emphasize that Anatova was designed not to translate devices located in the Commonwealth of Independent States (CIS) countries, as well as some territories in Asia; sometimes this could provide the on the authors of malicious software, although it is not a rule that is fulfilled without exception.