- Jul 22, 2014
- 2,525
A new ransomware family popped on the radar of analysts, who see it as a serious threat created by skilled authors that can turn it into a multifunctional piece of malware.
Infections with Anatova have been reported all over the world, most of them being in the United States, followed by countries in Europe (Belgium, Germany, France, the UK).
...
..
The ransomware includes an anti-analysis routine that gets triggered under certain conditions. Once launched, the ransomware asks for admin privileges, runs a few checks and then encrypts files on the computer and then demands 10 DASH coins, currently valued at $700.
Modular architecture
...
...
Anti-analysis process
Anatova tried to make the ransomware more resilient to analysis attempts by embedding a memory cleaning procedure that activates in certain situations.
Among the first actions it takes is to check the username of the logged in user. If the name is a match with one on an internal list, the ransomware deploys the cleaning process and exits.
Although the list of names Anatova checks is short, it may protect it from being checked by less careful malware analysts.
It includes the following strings: 'LaVirulera,' 'tester,' 'Tester,' 'analyst,' 'Analyst,' 'lab,' 'Lab,' 'Malware,' and 'malware.'
...
...
Malware Samples - Anatova ransomware
Infections with Anatova have been reported all over the world, most of them being in the United States, followed by countries in Europe (Belgium, Germany, France, the UK).
...
..
The ransomware includes an anti-analysis routine that gets triggered under certain conditions. Once launched, the ransomware asks for admin privileges, runs a few checks and then encrypts files on the computer and then demands 10 DASH coins, currently valued at $700.
Modular architecture
...
...
Anti-analysis process
Anatova tried to make the ransomware more resilient to analysis attempts by embedding a memory cleaning procedure that activates in certain situations.
Among the first actions it takes is to check the username of the logged in user. If the name is a match with one on an internal list, the ransomware deploys the cleaning process and exits.
Although the list of names Anatova checks is short, it may protect it from being checked by less careful malware analysts.
It includes the following strings: 'LaVirulera,' 'tester,' 'Tester,' 'analyst,' 'Analyst,' 'lab,' 'Lab,' 'Malware,' and 'malware.'
...
...
Malware Samples - Anatova ransomware
