Anatova ransomware: a new threat with disparaging features

Anatova ransomware a multifunctional malware was seen all over the world, including Belgium, Germany, France, UK, Russia, US. It was discovered on peer-to-peer networks, where it is camouflaged as an icon of a video or another program.

McAfee researchers recently published a detected report about this new threat, according to which, Anatova ransomware encrypts personal storage data stored on the system by using “robust” encryption algorithm and then demands 1 DASH ($700) as a ransom from the victims for the decrypter.

According to McAfee researchers, Anatova ransomware might be a prominent threat in future:

“The developers/actors behind Anatova are, according our assessment, skilled malware authors. We draw this conclusion as each sample has its own unique key, as well as other functions we will describe, which we do not often see in ransomware families.”

Some more fact about the Anatova ransomware

Before proceeding to the infiltration, this ransomware made several checks. Firstly it checks the logins username of the computer owner. If the username are from the predetermined list such as “LaVirulera,” “tester,” “analyst,” “lab,” “malware,”- the malware leaves- indicates that developers do not wish the malware to be checked by researchers.

Then after, the malware check the language of the machine to know about the countries that it belongs to. Actually, do not affect the following countries:

  • The Commonwealth of Independent States (CIS countries)
  • Syria
  • Egypt
  • Morocco
  • Iraq
  • India

The reason behind this is not yet clear; however, one must come to a conclusion that may be because these criminals are from these countries so they excluded them all.

Two most alarming features of Anatova ransomware

According to experts, it has two disparaging features is the anti-analysis aspect and the ability to evolve with the help of modular architecture. This ransomware protects its strings with the Unicode and Ascii encryption. Both are required a unique code for their execution. These codes are hidden within the executable files.

It use trustworthy API’s a typical programming language for GetModuleHandleW, LoadLibraryW, GetProcAddress, ExitProcess, and MessageBoxA. The can load extra1.dll and extra2.dll that add capabilities and functions to the ransomware. And then, it starts devastating processes under the system and lead in shutdown of several running process, encryption of files, and dropping a ransomware note to demand ransom fee.