While everyone was engaged in new year celebrations, malware authors were busy creating new ransomware for 2019. Quick Heal Security Labs has observed the first ransomware of 2019 — Anatova.
During our analysis, we found that Anatova is not just ransomware but a modular one. By modular ransomware we mean, though the main activity of this ransomware will be encrypting the data, it can also be used to infect user’s PC in many ways as it has that provision as well.
Anatova has a different algorithm and execution techniques. That tells us, Anatova Malware authors are skilled and might have already set plans to infect more in future using modular techniques.
As this malware is coded with high intelligence and found to be destructive, we decided to come up with a detailed analysis report and its prevention techniques.
Quick Heal Security Lab Analysis
Unlike other ransomware, Anatova encrypts the files but doesn’t add any extension to the encrypted files. It encrypts all the files except from the folders which are present at the important location of the system such as ‘windows’, ‘program files’, ‘program files(x86)’,’boot’ etc.
Further, while traversing directories to encrypt files, it skips few files of windows and those are desktop.ini, boot init, pagefile.sys etc. It also skips few of the extensions i.e. .exe, .cmd, ini & .dll etc.
Smartly, this ransomware encrypts files whose size is =<1MB, and if the size is more than 1 MB then it will only encrypt the data of 1 MB from that file, we suspect that it does it to take lesser time for encryption and to avoid the detection from the security software.
After encryption, Anatova demands ransom payment in cryptocurrency of 10 DASH which calculates to somewhere around $700 USD.
Anatova lures users into downloading the ransomware with its game like icon. The hashes we analyzed were 64bit applications build in January 2019 and requires administrative privileges as shown in the below snippet.
Fig 1: Require Administrative Privileges
Though the samples had different sizes, the main payload had 307 KB size which included resources (a game like icons). Researchers also found an uncommon behavior during analysis which is, malware already had created set of arrays which holds mostly used functions of windows library in encrypted format, as and when required, it uses decryption loop that allocates runtime memory to decrypt the encrypted strings, gain the function name, get the address of decrypted string using “GetProcAddress” function and release the memory once the process is completed, initially, it decrypts kernel32.dll library and its functions.
This behavior pattern wasn’t observed in any other ransomware.
The decryption loop has been explained in the following snippet
Fig 2: Decryption loop
Once the ransomware enters the system, it uses anti-analysis technique for this it’ll firstly gain system information, gets user name using ‘GetUserName’ API, it compares the username with the stored blacklisted usernames, for which it decrypts the blacklisted usernames using decryption loop as mentioned earlier. If it finds the matching usernames, ransomware will move for cleanup and exit the process without performing any activity. Hard-coded user names are as follows: –
Hardcoded part is shown below in snippet
Fig 3: Hardcoded User Names
The thing to note is, upon entering into user’s PC, it generates constant mutex which tells that the system is already infected with Anatova or not. Ransomware has a code to verify constant mutex using “GetLastError” function, which returns error code ‘0xB7’ indicating ‘Error_Already_Exits’ which means that same mutex has already created before and the process should be terminated as shown in the below snippet.
Fig 4: Mutex check.
Anatova uses “GetSystemDefaultUILangauge” api to gain the system’s default language which is set at the time of first installation of Operating System, depending on the default language it decides whether to perform the activity or not as it has skipped few countries where it’ll not do any harm. The snippet below shows the code part
Fig 5: Gets Default Language.
Moreover, it has a check to verify 38 processes and if found, ransomware terminates them to encrypt the files associated with them.
The processes are as shown below
How Encryption takes place?
After all, checks are satisfied, Anatova finally does the encryption activity using a combination of RSA and Salsa 20 Algorithm. To save the hassle and not to encrypt the same file again, it adds a marker of the encrypted content of 4 bytes at the end of the file (Refer fig.no 7 & 8). While traversing each file for encryption it first checks the 4 bytes at the end of the file so the same file doesn’t get encrypted again and in turn saves time.
Anatova has used cryptencrypt API to encrypt the files as shown below
Fig 6: API used for encryption.
Code part for the same is shown in below snippet: –
Fig 7: Encryption for marker
Fig 8: Highlighted Encrypted String and hex address
Anatova not only encrypts system drives but also checks remote location to encrypt. It checks for all instances, DRIVE_FIXED to check the local drives and DRIVE_REMOTE to verify remote(network) location.
Fig 9: Check Drive Type
In the end, Anatova deletes windows shadow copies using the vssadmin program as shown in below snippet
Fig 10: VSSAdmin command
After encryption and deleting the shadow copies, ransomware deletes itself as shown below.
Fig 11: Self-deletion
After encryption, it drops ransom note mentioning the email-ids and ransom to pay.
Fig.12: Ransom note
Good news, Quick Heal users are safe.
Quick Heal successfully blocks Anatova ransomware with the following protection layers:
Fig 13: Quick Heal Virus Protection
Fig 14: Anti-ransomware Protection
Fig 15: Behavior detection Protection
How to stay safe from ransomware attacks:
Indicators of compromise:
Ransomnote.txt as shown in fig. 12
Subject Matter Experts:
Poonam Dongare , Nagesh Lathkar | Quick Heal Security Labs