![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/Picture1-1.png\")
<\/p>\nDuring our continuous hunt for new threats, we discovered a new ransomware family we call Anatova (based on the name of the ransom note). Anatova was discovered in a private peer-to-peer (p2p) network. After initial analysis, and making sure that our customers are protected, we decided to make this discovery public.<\/p>\n
<\/p>\n
Our telemetry showed that although Anatova is relatively new, we already discovered a widespread detection of the thread around the globe<\/em><\/p>\n We believe that Anatova can become a serious threat since the code is prepared for modular extension.<\/p>\n Additionally, it will also check if network-shares are connected and will encrypt the files on these shares too. The developers\/actors behind Anatova are, according our assessment, skilled malware authors. We draw this conclusion as each sample has its own unique key, as well as other functions we will describe, which we do not often see in ransomware families.<\/p>\n This post will explain the technical details of Anatova, as well as some interesting facts about this new ransomware family.<\/p>\n For the analysis we used this particular hash: 170fb7438316f7335f34fa1a431afc1676a786f1ad9dee63d78c3f5efd3a0ac0<\/strong><\/p>\n The main goal of Anatova is to cipher all the files that it can before requesting payment from the victim.<\/p>\n Anatova usually uses the icon of a game or application to try and fool the user into downloading it. It has a manifest to request admin rights.<\/p>\n Information about the binary<\/em><\/p>\n The Anatova ransomware is a 64bits application with the compile date of January 1st<\/sup>, 2019. The file size of this particular hash is 307kb, but it can change due to the amount of resources used in the sample. If we remove all these resources, the size is 32kb; a very small program with a powerful mechanism inside.<\/p>\n Anatova has some strong protection techniques against static analysis which makes things slightly tricky:<\/p>\n Problem in IDA Pro 7.2 last version<\/em><\/p>\n <\/p>\n At the moment we don\u00b4t know all entry vectors that Anatova is using, or will be using, in the near future. Our initial finding location was in private p2p.<\/p>\n The goal of Anatova, as with other ransomware families, is to encrypt all or many files on an infected system and insist on payment to unlock them. The actor(s) demand a ransom payment in cryptocurrency of 10 DASH \u2013 currently valued at around $700 USD, a quite high amount compared to other ransomware families.<\/p>\n Since this is a novel family, we didn\u2019t find any version number inside the code, but let\u2019s call this version 1.0<\/p>\n The first action that the malware executes is to get the module handle of the library \u201ckernel32.dll\u201d and get 29 functions from it using the function \u201cGetProcAddress\u201d.<\/p>\n Get kernel32 functions after decrypt strings<\/em><\/p>\n If the malware can\u00b4t get the module handle of kernel32, or some of the functions can\u00b4t be found, it will quit without executing any encryption.<\/p>\n Later, the malware will try to create a mutex with a hardcoded name (in this case: 6a8c9937zFIwHPZ309UZMZYVnwScPB2pR2MEx5SY7B1xgbruoO) but the mutex name changes in each sample. If the mutex is created, and gets the handle, it will call the \u201cGetLastError\u201d function and look if the last error is ERROR_ALREADY_EXISTS or ERROR_ACCESS_DENIED. Both errors mean that a previous instance of this mutex object exists. If that is the case, the malware will enter in a flow of cleaning memory, that we will explain later in this post, and finish.<\/p>\n Check mutex<\/em><\/p>\n After this check, Anatova will get some functions from the library \u201cadvapi32.dll\u201d, \u201cCrypt32.dll\u201d and \u201cShell32.dll\u201d using the same procedure as in the kernel case. All text is encrypted and decrypted one per one, get the function, free the memory, and continue with the next one.<\/p>\n If it fails in getting some of these modules or some of the functions it needs, it will go to the flow of cleaning tool and exit.<\/p>\n One interesting function we discovered was that Anatova will retrieve the username of the logged in and\/or active user and compare with a list of names encrypted. If one of the names is detected, it will go to the cleaning flow procedure and exit.<\/p>\n The list of users searched are:<\/p>\n Some analysts or virtual machines\/sandboxes are using these default usernames in their setup, meaning that the ransomware will not work on these machines\/sandboxes.<\/p>\n After this user-check, Anatova will check the language of the system. When we say language, we mean the system language. When a user installs the Windows OS, they choose a language to install it with (though later the user could install a different language). Anatova checks for the first installed language on the system to ensure that a user cannot install one of these blacklisted languages to avoid encryption of the files.<\/p>\n The list of the countries that Anatova doesn\u2019t affect are:<\/p>\n It\u2019s quite normal to see the CIS countries being excluded from execution and often an indicator that the authors might be originating from one of these countries. In this case it was surprising to see the other countries being mentioned. We do not have a clear hypothesis on why these countries in particular are excluded.<\/p>\n Check system language<\/em><\/p>\n After the language check, Anatova looks for a flag that, in all samples we looked at, has the value of 0, but if this flag would change to the value of 1 (the current malware samples never change that value), it will load two DLLs with the names (after decryption) of \u201cextra1.dll\u201d and \u201cextra2.dll\u201d. This might indicate that Anatova is prepared to be modular or to be extended with more functions in the near future.<\/p>\n Load extra modules<\/em><\/p>\n After this, the malware enumerates all processes in the system and compares them with a large list including, for example \u201csteam.exe\u201d, \u201csqlserver.exe\u201d, etc. If some of these processes are discovered, the malware will open them and terminate them. This action is typical of ransomware that attempts to unlock files that later will be encrypted, such as database files, game files, Office related files, etc.<\/p>\n The next action is to create an RSA Pair of Keys using the crypto API that will cipher all strings. This function is the same as in other ransomware families, such as GandCrab or Crysis, for example. It makes sure that the keys that will be used, are per user and per execution.<\/p>\n If the malware can\u00b4t create the keys, it will go to the clean flow and exit.<\/p>\n After this, Anatova will make a random key of 32 bits and another value of 8 bytes using the function of the crypto API \u201cCryptGenRandom\u201d to encrypt using the Salsa20 algorithm and the private previous blob key in runtime.<\/p>\n During the encryption process of the files, it will decrypt the master RSA public key of the sample of 2 layers of crypto, the first one is a XOR with the value 0x55 and the second one is to decrypt it using a hardcoded key and IV in the sample using the Salsa20 algorithm.<\/p>\n Decrypt from first layer the master RSA public key of sample<\/em><\/p>\n After this, it will import the public key and with it, will encrypt the Salsa20 key and IV used to encrypt the private RSA key in runtime.<\/p>\n The next step is to prepare a buffer of memory and with all of the info encrypted (Salsa20 key, Salsa20 IV, and private RSA key). It makes a big string in BASE64 using the function \u201cCryptBinaryToStringA\u201d. The ransomware will later clean the computer\u2019s memory of the key, IV, and private RSA key values, to prevent anyone dumping this information from memory and creating a decrypter.<\/p>\n This BASE64 string will be written later in the ransom note. Only the malware authors can decrypt the Salsa20 key and IV and the private RSA key that the user would need \u00a0to decrypt the files.<\/p>\n If this does not work, Anatova will delete itself, enter in the clean flow and exit.<\/p>\n When the keys are encrypted in the memory buffer, Anatova will enumerate all logic units and will search for all existing instances of the type DRIVE_FIXED (a normal hard disk for example) or DRIVE_REMOTE (for remote network shares that are mounted). Anatova will try to encrypt the files on each of those locations. This means that one corporate victim can cause a major incident when files on network-shares are being encrypted.<\/p>\n Check all logic units<\/em><\/p>\n For each mounted drive \u2013 hard disk or remote share, Anatova will get all files and folders. It will later check if it is a folder and, if it is, will check that the folder name doesn\u2019t have the name of \u201c.\u201d and \u201c..\u201d, to avoid the same directory and the previous directory.<\/p>\n In the list of gathered folder names, Anatova checks against a list of blacklisted names such as \u201cWindows\u201d, \u201cProgram Files\u201d, \u201cProgram Files(x86)\u201d, etc. This is usual in many ransomware families, because the authors want to avoid destroying the Operating System, instead targeting the high value files. Anatova does the same for file-extensions .exe, .dll and .sys that are critical for the Operating system as well.<\/p>\n Check file name and extension<\/em><\/p>\n If this check is passed, Anatova will open the file and get its size, comparing it to1 MB. Anatova will only encrypt files1 MB or smaller to avoid lost time with big files; it wants to encrypt fast. By setting pointers at the end of the encrypted files, Anatova makes sure that it does not encrypt files that are already encrypted.<\/p>\n Next, Anatova will create a random value of 32bits as a key for the Salsa20 algorithm and another value of 8 bytes that will be used as IV for Salsa20.<\/p>\n With these values, it will read all files in memory or files with a maximum size of 1 MB and encrypt this information with the key and IV using the Salsa20 algorithm (this is very popular lately because it is a very quick algorithm and has open source implementations).<\/p>\n Encryption of files function<\/em><\/p>\n It will import the RSA public key created in runtime and with it, encrypt the key and IV used to encrypt the file. Next, it will write the encrypted content in the same file from the beginning of the file and then it will set the pointer to the end of the file and write the next things:<\/p>\n When this is completed, Anatova will write a ransom note in the same folder. So, if Anatova can\u00b4t encrypt at least something in a folder, it won\u2019t create a ransom note in this folder, only in the affected folders.<\/p>\n This behavior is different from other ransomware families that write a ransom note in all folders.<\/p>\n The ransom note text is fully encrypted in the binary, except for the mail addresses to contact the author(s) and the dash address to pay.<\/p>\n Anatova doesn\u2019t overwrite the ransom note if it already exists in a folder in order to save time.The ransom note contains the base64 block with all encrypted information that is needed to decrypt the files in a block that start with the string \u201c—-KEY—-\u201d, as well asthe id number.<\/p>\n Responding victims are then allowed to decrypt one .jpg file of maximum size 200kb free of charge, as proof that they the decrypted files can be retrieved.<\/p>\n Example of ransom note<\/em><\/p>\n When all this is done, Anatova will destroy the Volume Shadow copies 10 times in very quick succession. Like most ransomware families, it is using the vssadmin program, which required admin rights, to run and delete the volume shadow copies.<\/p>\n Delete of Shadow Volumes 10 times<\/em><\/p>\n Finally, when all steps are completed, the ransomware will follow the flow of cleaning code, as described earlier, mainly to prevent dumping memory code that could assist in creating a decryption tool.<\/p>\n Customers of McAfee gateway and endpoint products are protected against this version. Detection names include Ransom-Anatova![partialhash].<\/p>\n The samples use the following MITRE ATT&CK\u2122 techniques:<\/p>\n 2a0da563f5b88c4d630aefbcd212a35e<\/p>\n 366770ebfd096b69e5017a3e33577a94<\/p>\n 9d844d5480eec1715b18e3f6472618aa<\/p>\n 61139db0bbe4937cd1afc0b818049891<\/p>\n 596ebe227dcd03863e0a740b6c605924<\/p>\n","protected":false},"excerpt":{"rendered":" During our continuous hunt for new threats, we discovered a new ransomware family we call Anatova (based on the name…<\/p>\n","protected":false},"author":1028,"featured_media":93005,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[5540],"class_list":["post-93918","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nAnatova Overview<\/strong><\/h2>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/Picture2-1.png\")
<\/p>\n\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/Picture3.png\")
<\/p>\nEntry Vector<\/strong><\/h2>\n
In-depth highlights of version 1.0<\/strong><\/h2>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/Picture4.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/Picture5.png\")
<\/p>\n\n
\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/Picture6.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/Picture7.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/Picture8.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/Picture9.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/Picture10.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/Picture11.png\")
<\/p>\n\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/Picture12.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/Picture13.png\")
<\/p>\nCOVERAGE<\/strong><\/h2>\n
INDICATORS OF<\/strong> COMPROMISE<\/strong><\/h2>\n
\n
Hashes<\/strong><\/h2>\n