Anatova, A modular ransomware

  • 20
    Shares

While everyone was engaged in new year celebrations, malware authors were busy creating new ransomware for 2019. Quick Heal Security Labs has observed the first ransomware of 2019 — Anatova.

During our analysis, we found that Anatova is not just ransomware but a modular one. By modular ransomware we mean, though the main activity of this ransomware will be encrypting the data, it can also be used to infect user’s PC in many ways as it has that provision as well.

Anatova has a different algorithm and execution techniques. That tells us, Anatova Malware authors are skilled and might have already set plans to infect more in future using modular techniques.

As this malware is coded with high intelligence and found to be destructive, we decided to come up with a detailed analysis report and its prevention techniques.

Quick Heal Security Lab Analysis

Unlike other ransomware, Anatova encrypts the files but doesn’t add any extension to the encrypted files. It encrypts all the files except from the folders which are present at the important location of the system such as ‘windows’, ‘program files’, ‘program files(x86)’,’boot’ etc.

Further, while traversing directories to encrypt files, it skips few files of windows and those are desktop.ini, boot init, pagefile.sys etc. It also skips few of the extensions i.e. .exe, .cmd, ini & .dll etc.

Smartly, this ransomware encrypts files whose size is =<1MB, and if the size is more than 1 MB then it will only encrypt the data of 1 MB from that file, we suspect that it does it to take lesser time for encryption and to avoid the detection from the security software.

After encryption, Anatova demands ransom payment in cryptocurrency of 10 DASH which calculates to somewhere around $700 USD.

Anatova lures users into downloading the ransomware with its game like icon. The hashes we analyzed were 64bit applications build in January 2019 and requires administrative privileges as shown in the below snippet.

Fig 1: Require Administrative Privileges

Though the samples had different sizes, the main payload had 307 KB size which included resources (a game like icons). Researchers also found an uncommon behavior during analysis which is, malware already had created set of arrays which holds mostly used functions of windows library in encrypted format, as and when required, it uses decryption loop that allocates runtime memory to decrypt the encrypted strings, gain the function name, get the address of decrypted string using “GetProcAddress” function and release the memory once the process is completed, initially, it decrypts kernel32.dll library and its functions.

This behavior pattern wasn’t observed in any other ransomware.

The decryption loop has been explained in the following snippet

Fig 2: Decryption loop

Once the ransomware enters the system, it uses anti-analysis technique for this it’ll firstly gain system information, gets user name using ‘GetUserName’ API, it compares the username with the stored blacklisted usernames, for which it decrypts the blacklisted usernames using decryption loop as mentioned earlier. If it finds the matching usernames, ransomware will move for cleanup and exit the process without performing any activity. Hard-coded user names are as follows: –

LaVirulera
tester Tester
analyst Analyst
lab Lab
malware Malware

Hardcoded part is shown below in snippet

Fig 3: Hardcoded User Names

The thing to note is, upon entering into user’s PC, it generates constant mutex which tells that the system is already infected with Anatova or not. Ransomware has a code to verify constant mutex using “GetLastError” function, which returns error code ‘0xB7’ indicating ‘Error_Already_Exits’ which means that same mutex has already created before and the process should be terminated as shown in the below snippet.

Fig 4:  Mutex check.

Anatova uses “GetSystemDefaultUILangauge” api to gain the system’s default language which is set at the time of first installation of Operating System, depending on the default language it decides whether to perform the activity or not as it has skipped few countries where it’ll not do any harm. The snippet below shows the code part

Fig 5: Gets Default Language.

Moreover, it has a check to verify 38 processes and if found, ransomware terminates them to encrypt the files associated with them.

The processes are as shown below

 

msftesql.exe agntsvc.exeisqlplussvc.exe ocomm.exe onenote.exe
sqlagent.exe xfssvccon.exe mysqld.exe outlook.exe
sqlbrowser.exe mydesktopservice.exe mysqld-nt.exe powerpnt.exxe
sqlwriter.exe ocautoupds.exe mysqld-opt.exe steam.exe
sqlservr.exe agntsvc.exeagntsvc.exe dbeng50.exe thebat.exe
ocssd.exe agntsvc.exeencsvc.exe sqbcoreservice.exe thebat64.exe
oracle.exe firefoxconfig.exe excel.exe thunderbird.exe
dbsnmp.exe tbirdconfig.exe infopath.exe visio.exe
synctime.exe mydesktopqos.exe msaccess.exe
winword.exe wordpad.exe mspub.exe

How Encryption takes place?

After all, checks are satisfied, Anatova finally does the encryption activity using a combination of RSA and Salsa 20 Algorithm. To save the hassle and not to encrypt the same file again, it adds a marker of the encrypted content of 4 bytes at the end of the file (Refer fig.no 7 & 8). While traversing each file for encryption it first checks the 4 bytes at the end of the file so the same file doesn’t get encrypted again and in turn saves time.

Anatova has used cryptencrypt API to encrypt the files as shown below

Fig 6: API used for encryption.

Code part for the same is shown in below snippet: –

Fig 7: Encryption for marker

Fig 8: Highlighted Encrypted String and hex address

Anatova not only encrypts system drives but also checks remote location to encrypt. It checks for all instances, DRIVE_FIXED to check the local drives and DRIVE_REMOTE to verify remote(network) location.

Fig 9: Check Drive Type

In the end, Anatova deletes windows shadow copies using the vssadmin program as shown in below snippet

Fig 10: VSSAdmin command

After encryption and deleting the shadow copies, ransomware deletes itself as shown below.

Fig 11: Self-deletion

After encryption, it drops ransom note mentioning the email-ids and ransom to pay.

Fig.12: Ransom note

Good news, Quick Heal users are safe.

Quick Heal successfully blocks Anatova ransomware with the following protection layers:

  • Virus Protection
  • Behavior-based Detection
  • Anti-Ransomware

Fig 13: Quick Heal Virus Protection

Fig 14: Anti-ransomware Protection

Fig 15: Behavior detection Protection

How to stay safe from ransomware attacks:

  • Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data.
  • Do not install any freeware or cracked versions of any software.
  • Do not open any advertisement pages shown on websites without knowing that they are genuine.
  • Disable macros while using MS Office.
  • Update your antivirus to protect your system from unknown threats.
  • Do not click on links or download attachments in emails from unexpected, unknown or unwanted sources.

Indicators of compromise:

 SHA’s: –

  • 170fb7438316f7335f34fa1a431afc1676a786f1ad9dee63d78c3f5efd3a0ac0
  • 75371ff38823885b47aa21d2883792a5470e9bf1f3d2dc93f512725f35491820
  • 97fb79ca6fc5d24384bf5ae3d01bf5e77f1d2c0716968681e79c097a7d95fb93
  • ab8a76b64448b943dc96a3e993b6e6b37af27c93738d27ffd1f4c9f96a1b7e69
  • bd422f912affcf6d0830c13834251634c8b55b5a161c1084deae1f9b5d6830ce

Ransomnote.txt as shown in fig. 12

 

Subject Matter Experts:

Poonam Dongare , Nagesh Lathkar | Quick Heal Security Labs

Shriram Munde

Shriram Munde


9 Comments

Leave a Reply to Asit Sikdar Cancel reply

Your email address will not be published.

CAPTCHA Image

  1. Avatar Laxmikant S BhumkarJanuary 31, 2019 at 12:15 AM

    Wow.. Shriram Munde, you have written world class research. Proud of the QuickHeal team. All the best.

    Reply
  2. Avatar Sarjerao R YadavFebruary 2, 2019 at 6:52 PM

    Quick is doing excellent job . Always love Quick heal & its sincerity & assured security to this fast moving world.

    Reply
  3. Avatar Jawahar Lal BhargavaFebruary 3, 2019 at 4:13 PM

    Thank you indeed

    Reply
  4. THANK YOU SIR, WE RELY ON YOUR EFFORT TO PROTECT US ALWAYS.
    REGARDS.
    N.PODDAR
    SUBSCRIBER

    Reply
  5. Avatar ajithmullasseryFebruary 4, 2019 at 6:11 AM

    thank you

    Reply
  6. Thank you very much for all your message and all your efforts to protect us ‘Ransomware’ attack. Please keep up the good work.

    Reply
  7. Avatar rajeev kumarFebruary 4, 2019 at 6:34 PM

    great sir your healing effort is commendable.

    Reply
  8. That’s great work Mr. Shriram Munde. I trust QuickHeal will ensure always quick identification of such threats and save subscriber’s computer.

    Reply