A new family of ransomware that was discovered in a private peer-to-peer network earlier this month has prompted a warning from researchers due to its apparent modular capabilities and its sophisticated coding and anti-analysis techniques.
Nicknamed Anatova, the ransomware has already been detected in at least several hundred machines around the world, despite having a recent compilation date of Jan. 1, according to a blog post published yesterday by McAfee Labs. McAfee telemetry data shows the U.S. has been hit hardest so far, followed by Belgium, Germany, France and the U.K.
Blog post author and senior malware analyst Alexandre Mundo reports that the malware borrows the icon of a game or application to disguise itself, in hopes that potential victims will be lured into downloading it. If that happens, and the infection chain reaches its completion, Anatova encrypts not only files on the victim's machine, but also files on network shares – a potential worst case scenario for large organizations.
Anatova uses the Salsa20 algorithm for its encryption, ignoring files under 1 MB in order to save time while doing damage to the larger assets. To salvage the sabotaged files, victims must pay a ransom of 10 Dash coins, which is valued at roughly $700, as of the writing of this article.
"The developers/actors behind Anatova are, according our assessment, skilled malware authors," Mundo writes. "We draw this conclusion as each sample has its own unique key, as well as other functions... [that] we do not often see in ransomware families."
Notably, the researchers observed that Anatova looks for a flag whose value can trigger the loading of two extra DLLs files. "This might indicate that Anatova is prepared to be modular or to be extended with more functions in the near future," the blog post states.
Meanwhile, the ransomware protects itself from analysis using a series of defensive maneuvers. For example, it encrypts most of its strings, with multiple decryption keys embedded in the executable. Also, it checks the victim's active username against a blacklist that includes terms like "tester," "malware" and "analyst." If such words appear, the ransomware will not work.
To further frustrate security experts, the ransomware clean the computer’s memory of any key value data, to prevent the possibility of dumping this information from memory as a means of creating a decryption program.
McAfee notes that the ransomware is programmed not to attack machines based in all CIS countries, Syria, Egypt, Morocco, Iraq and India. Such restrictions can sometimes, but not always offer attribution clues.
The next step is to prepare a buffer of memory and with all of the info encrypted (Salsa20 key, Salsa20 IV, and private RSA key). It makes a big string in BASE64 using the function “CryptBinaryToStringA.” The ransomware will later clean the computer’s memory of the key, IV, and private RSA key values, to prevent anyone dumping this information from memory and creating a decrypter. Responding victims are then allowed to decrypt one .jpg file of maximum size 200KB free of charge, as proof that they the decrypted files can be retrieved.