Anatova is the nickname given to a new brand of sophisticated ransomware that looks to encrypt your personal or business files and then demands payment to decipher them.
How it works
Anatova is distributed through peer-to-peer (P2P) file sharing networks. It masquerades as genuine software, often using real icons to fool users into believing it is authentic. Once you run the malicious software, it begins to encrypt your personal documents, after which it will demand you send payment to regain access to your files.
This can be extremely hazardous for larger organizations, since Anatova can affect files across local networks. This ransomware is designed to encrypt your files quickly to avoid detection. It fully encrypts files that are less than 1 Megabyte, and encrypts only a single Megabyte of files larger than that. Even though the larger files are not completely encrypted, enough damage has been done that they are, most likely, no longer usable.
Another fascinating thing about Anatova is its resistance to analysis. It encrypts most of its internal strings, cleans its own data out of memory, causes bugs in common analysis programs, and stops execution if it detects that it is in a virtual or test environment.
One of the most dangerous aspects of Anatova is the fact that it is built to be modular. This means that it was designed to have new features added to it at any time. Instead of just encrypting your files, future versions of Anatova could steal your personal info and passwords, add your computer to a malicious botnet, or a multitude of other things.
Who is affected
Due to its current distribution method, most people who do not use peer-to-peer file sharing should be safe from this threat. If you do you happen to use P2P file sharing, we strongly suggest you scan every file you download before opening it, both with SUPERAntiSpyware and VirusTotal.
The majority of Anatova detections have been in the United States, although infections have been seen across Europe as well. This malware checks your system language and refuses to run in several countries such as Iraq, India, and the Commonwealth of Independent States.
Indicators of compromise
Generally one of the biggest indicators of a ransomware attack is the changed extensions on the encrypted files. This ransomware, however, does not alter the file extensions, which makes casual detection of an Anatova infection more difficult.
A better indicator is the ransom note that this malware leaves behind. Anatova will drop a text file into each folder where it has encrypted a file. This text file gives instructions on how to pay the ransom to get your files unlocked:
All your files are crypted. Only us can decrypt your files, you need to pay 10 DASH in the address:
XnzvWQKv22uPDCYcuGebyoaVinekkJicbK
After the payment send us the address used to make the payment to one of these mail addresses:
anatova2@tutanota.com
anatoday@tutanota.com
Later wait for our reply with your decryptor. If you want to send us ONE JPG FILE ONLY max 200kb to decrypt per free before of payment
Don’t try fuck us, in this case you NEVER will recover your files. Nothing personal, only business.
Send this file untouched with your payment or/and free file!
—KEY—
<random key>
—KEY—
What you can do
SUPERAntiSpyware detects many variants of Anatova; however, new versions are being created all the time so make sure to always update to the latest database version. Also, upgrading to Real-Time protection will dramatically increase your level of protection from this threat.
Refraining from using Anatova’s primary infection vector — peer-to-peer file sharing services — should effectively keep your system safe from this infection. As stated before, if you do use P2P file sharing services, you must be extremely careful with what you download. Make sure to scan every file with SUPERAntiSpyware and VirusTotal to ensure it is safe before opening it.
How To Remove Anatova
- Using an uninfected system, search the internet for a decryptor for your particular version of Anatova and copy it to a USB drive — I would suggest starting your search with No More Ransom.
- Restart the infected computer in Safe Mode with Networking.
- Insert the USB drive with the decryptor, copy it to the desktop, then eject and remove the drive.
- Run the decryptor.
- Assuming the decryptor is successful, update your SUPERAntiSpyware to the latest database version and run a complete scan to remove any traces of Anatova from your system.
- If the decryptor does not work, you can take your computer to a data recovery expert.
Very useful info, I’ve been using P2P file sharing and didn’t know about that kind of threat. It occurs that Anatova is an insidious thing. Thanks for providing info on the control measures with SUPERAntiSpyware.