Anatova, A modular ransomware

While everyone was engaged in new year celebrations, malware authors were busy creating new ransomware for 2019. Quick Heal Security Labs has observed the first ransomware of 2019 — Anatova.

During our analysis, we found that Anatova is not just ransomware but a modular one. By modular ransomware we mean, though the main activity of this ransomware will be encrypting the data, it can also be used to infect user’s PC in many ways as it has that provision as well.

Anatova has a different algorithm and execution techniques. That tells us, Anatova Malware authors are skilled and might have already set plans to infect more in future using modular techniques.

As this malware is coded with high intelligence and found to be destructive, we decided to come up with a detailed analysis report and its prevention techniques.

Quick Heal Security Lab Analysis

Unlike other ransomware, Anatova encrypts the files but doesn’t add any extension to the encrypted files. It encrypts all the files except from the folders which are present at the important location of the system such as ‘windows’, ‘program files’, ‘program files(x86)’,’boot’ etc.

Further, while traversing directories to encrypt files, it skips few files of windows and those are desktop.ini, boot init, pagefile.sys etc. It also skips few of the extensions i.e. .exe, .cmd, ini & .dll etc.

Smartly, this ransomware encrypts files whose size is =<1MB, and if the size is more than 1 MB then it will only encrypt the data of 1 MB from that file, we suspect that it does it to take lesser time for encryption and to avoid the detection from the security software.

After encryption, Anatova demands ransom payment in cryptocurrency of 10 DASH which calculates to somewhere around $700 USD.

Anatova lures users into downloading the ransomware with its game like icon. The hashes we analyzed were 64bit applications build in January 2019 and requires administrative privileges as shown in the below snippet.

Fig 1: Require Administrative Privileges

Though the samples had different sizes, the main payload had 307 KB size which included resources (a game like icons). Researchers also found an uncommon behavior during analysis which is, malware already had created set of arrays which holds mostly used functions of windows library in encrypted format, as and when required, it uses decryption loop that allocates runtime memory to decrypt the encrypted strings, gain the function name, get the address of decrypted string using “GetProcAddress” function and release the memory once the process is completed, initially, it decrypts kernel32.dll library and its functions.

This behavior pattern wasn’t observed in any other ransomware.

The decryption loop has been explained in the following snippet

Fig 2: Decryption loop

Once the ransomware enters the system, it uses anti-analysis technique for this it’ll firstly gain system information, gets user name using ‘GetUserName’ API, it compares the username with the stored blacklisted usernames, for which it decrypts the blacklisted usernames using decryption loop as mentioned earlier. If it finds the matching usernames, ransomware will move for cleanup and exit the process without performing any activity. Hard-coded user names are as follows: –

Hardcoded part is shown below in snippet

Fig 3: Hardcoded User Names

The thing to note is, upon entering into user’s PC, it generates constant mutex which tells that the system is already infected with Anatova or not. Ransomware has a code to verify constant mutex using “GetLastError” function, which returns error code ‘0xB7’ indicating ‘Error_Already_Exits’ which means that same mutex has already created before and the process should be terminated as shown in the below snippet.

Fig 4:  Mutex check.

Anatova uses “GetSystemDefaultUILangauge” api to gain the system’s default language which is set at the time of first installation of Operating System, depending on the default language it decides whether to perform the activity or not as it has skipped few countries where it’ll not do any harm. The snippet below shows the code part

Fig 5: Gets Default Language.

Moreover, it has a check to verify 38 processes and if found, ransomware terminates them to encrypt the files associated with them.

The processes are as shown below

How Encryption takes place?

After all, checks are satisfied, Anatova finally does the encryption activity using a combination of RSA and Salsa 20 Algorithm. To save the hassle and not to encrypt the same file again, it adds a marker of the encrypted content of 4 bytes at the end of the file (Refer fig.no 7 & 8). While traversing each file for encryption it first checks the 4 bytes at the end of the file so the same file doesn’t get encrypted again and in turn saves time.

Anatova has used cryptencrypt API to encrypt the files as shown below

Fig 6: API used for encryption.

Code part for the same is shown in below snippet: –

Fig 7: Encryption for marker

Fig 8: Highlighted Encrypted String and hex address

Anatova not only encrypts system drives but also checks remote location to encrypt. It checks for all instances, DRIVE_FIXED to check the local drives and DRIVE_REMOTE to verify remote(network) location.

Fig 9: Check Drive Type

In the end, Anatova deletes windows shadow copies using the vssadmin program as shown in below snippet

Fig 10: VSSAdmin command

After encryption and deleting the shadow copies, ransomware deletes itself as shown below.

Fig 11: Self-deletion

After encryption, it drops ransom note mentioning the email-ids and ransom to pay.

Fig.12: Ransom note

Good news, Quick Heal users are safe.

Quick Heal successfully blocks Anatova ransomware with the following protection layers:

• Virus Protection
• Behavior-based Detection
• Anti-Ransomware

Fig 13: Quick Heal Virus Protection

Fig 14: Anti-ransomware Protection

Fig 15: Behavior detection Protection

How to stay safe from ransomware attacks:

• Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data.
• Do not install any freeware or cracked versions of any software.
• Do not open any advertisement pages shown on websites without knowing that they are genuine.
• Disable macros while using MS Office.
• Update your antivirus to protect your system from unknown threats.
• Do not click on links or download attachments in emails from unexpected, unknown or unwanted sources.

Indicators of compromise:

 SHA’s: –

• 170fb7438316f7335f34fa1a431afc1676a786f1ad9dee63d78c3f5efd3a0ac0
• 75371ff38823885b47aa21d2883792a5470e9bf1f3d2dc93f512725f35491820
• 97fb79ca6fc5d24384bf5ae3d01bf5e77f1d2c0716968681e79c097a7d95fb93
• ab8a76b64448b943dc96a3e993b6e6b37af27c93738d27ffd1f4c9f96a1b7e69
• bd422f912affcf6d0830c13834251634c8b55b5a161c1084deae1f9b5d6830ce

Ransomnote.txt as shown in fig. 12

Subject Matter Experts:

Poonam Dongare , Nagesh Lathkar | Quick Heal Security Labs

Shriram Munde