Anatova – A Cool Proof-Of-Concept Ransomware

Anatova Ransomware

The Anatova ransomware first came to light in 2019 January. It was discovered on a private P2P network, and McAfee detected over 300 instances of the malware worldwide at the time.

Anatova’s objective is to encrypt important files and network shares and demanding a cryptocurrency ransom of 10 DASH for unlocking them, worth about $700 at the time.

The ransomware is dubbed “Anatova” because of the name of the ransom note file (ANATOVA.txt) and the email addresses in the ransom note (e.g. anatova2@tutanota.com).

How it works

Anatova is distributed as executables that are made to look like legitimate software on the surface, when looking at their icons and filenames. The stripped core malicious executable is only 32 KB in size.

The malware sample is difficult to statically analyze not only because most strings are encrypted, but also because even Win32 API names are XOR ciphered (e.g. CryptAcquireContextW, CryptGenRandom, CryptEncrypt, CryptDestroyKey).

When executing Anatova, it will load the necessary Win32 API functions from system DLL files, followed by verifying the existence a hardcoded mutex (e.g. 6a8c9937zFIwHPZ309UZMZYVnwScPB2pR2MEx5SY7B1xgbruoO), created by a possible previous execution of the malware. If the mutex exists, it indicates that the ransomware has already run and it shouldn’t run again. Then it checks if the current user or a logged-in user has any of these usernames:

• LaVirulera
• tester
• Tester
• analyst
• Analyst
• lab
• Lab
• Malware
• malware

If it finds a match, it cleans up and exits. This is a crude measure against dynamic analysis, some malware sandboxes or analyst virtual machines might use these usernames.

Anatova also checks the primary system language against the following:

• CIS countries (Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan, Ukraine)
• Syria
• Egypt
• Morocco
• Iraq
• India

If the language matches any of the above, then Anatova exits after a cleanup routine without encrypting anything.

Anatova can be considered modular, because it includes code that would load DLLs named extra1.dll and extra2.dll. In known samples this code branch is never taken and the DLL files aren’t present. These modules could be used e.g. to place a persistent a backdoor on the system, run password extraction tools or to run crypto mining software.

Anatova looks for and terminates certain processes based on their name, so that it can encrypt the files locked by them, such as Office documents, databases or game files. The process names Anatova looks for include but are not limited to:

• oracle.exe
• firefoxconfig.exe
• mysqld.exe
• excel.exe
• msaccess.exe
• onenote.exe
• powerpnt.exe
• steam.exe
• thunderbird.exe
• visio.exe
• winword.exe

The ransomware will also skip files over 1 MB in size, making the encryption process quick.

After that, it will enumerate both logical and network drives and start encrypting files on them, with a few exception rules. It doesn’t encrypt any files that would make the system unusable, it skips the Windows, Program Files (x86), Program Files, ProgramData, All Users and similar directories. The ransomware will also avoid encrypting some specific files, such as boot.ini, pagefile.sys, hiberfil.sys, and file extensions like bat, cab, dll, exe, ico or sys.

The executable contains an obfuscated embedded RSA public key. The private key for the embedded master RSA public key is only known by the ransomware operator and isn’t present in any form in the malware. Anatova most likely generates another random runtime-only RSA private key for a given execution runtime, and uses this “victim key” to encrypt the different Salsa20 secret keys and nonces that differ for each file. Salsa20 is a symmetric stream cipher, AES could also be used in its place.

Anatova appends a few things to each encrypted file:

• Salsa20 32 byte secret key, encrypted with the victim RSA public key
• Salsa20 8 byte nonce, encrypted with the victim RSA public key
• Whether the file size is over 1 MB
• A hardcoded string that is unique to each sample, this also appears in the ransom note, it’s 481 in the ransom note above and in the encrypted file hex view below
• A hardcoded four byte marker indicating the file is encrypted, to avoid re-encryption, 0x5bdd4b14 in the example below

The ransom note’s --KEY-- section presumably contains the victim key, which is the RSA private key specific to a single execution of the malware, encrypted with the ransomware operator’s master RSA key. Once the victim pays the ransom and emails the ransom note to the attacker as instructed in the note’s message, the attacker could extract the victim’s RSA private key from the --KEY-- section using the master RSA private key, and provide a decryptor to the victim based on that.

After the ransomware is done encrypting files in a given folder, it writes an ANATOVA.TXT ransom note file to the folder. It doesn’t display anything, it relies on the user eventually finding one of the note files, doesn’t rename files and it also doesn’t bother with files over 1 MB, making it fast and relatively stealthy. A victim could notice that some process was terminated by the ransomware, or the ANATOVA.TXT file in a directory, but both of these are unlikely, and by then it could be late. Depending on the number of files the victim has, it could be done with encryption in minutes.

It deletes Windows shadow copies to make restoring from those backups impossible. The command that is executed 10 times:

C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet

Anatova will clean the victim RSA private key and Salsa20 keys from memory, and delete its own executable file:

C:\Windows\system32\cmd.exe /c timeout -c 9 & del "C:\Users\username\Desktop\malware.exe" /f /q

IOCs

McAfee confirmed five MD5 hashes as Anatova ransomware samples. Four of these masquerade as video game executables, one as a PE header analysis tool:

Call of Cthulhu is a moderately popular adventure game, released in 2018 October (https://steamdb.info/app/399810/). Two samples of the Anatova malware were made to look like the launcher executable of this game. The ransomware executable has a similar file size and the same icon as the legitimate version. Since the original executable also requires admin rights, icons and shortcuts for the original and ransomware executables look visually identical, including the yellow-blue admin privilege shield icon overlay.

• MD5: 596ebe227dcd03863e0a740b6c605924
• SHA-1: 37fadc40d6dc787cb13ef11663a9bc97c79b8f48
• SHA-256: 170fb7438316f7335f34fa1a431afc1676a786f1ad9dee63d78c3f5efd3a0ac0
• Filename: CallOfCthulhu.exe
• Size: 314368 bytes
• Email addresses: anatova2@tutanota.com, anatoday@tutanota.com
• Dash address: XpRvUwSjSeHfJqLePsRfQtCKa1VMwaXh12
• MD5: 61139db0bbe4937cd1afc0b818049891
• SHA-1: 200800368f75146320545095661fed0c3e75d025
• SHA-256: 75371ff38823885b47aa21d2883792a5470e9bf1f3d2dc93f512725f35491820
• Filename: CallOfCthulhu.exe
• Size: 314368 bytes
• Email addresses: anatova2@tutanota.com, anatoday@tutanota.com
• Dash address: XpRvUwSjSeHfJqLePsRfQtCKa1VMwaXh12

PPEE (puppy) is a PE file explorer tool, made for reverse engineers and malware researchers. The Anatova malware version:

• MD5: 2a0da563f5b88c4d630aefbcd212a35e
• SHA-1: fec79b74bb6cc4ddf0bf0655a9ef73b0aff09bbc
• SHA-256: 97fb79ca6fc5d24384bf5ae3d01bf5e77f1d2c0716968681e79c097a7d95fb93
• Filename: PPEE.exe
• Size: 49664 bytes
• Email addresses: anatova1@tutanota.com, anatoday@tutanota.com
• Dash address: XktLWbv68EU9XhYBuvrAGtbZHronyJDt1L

V nekotorom tsarstve is an obscure 2D platformer game with low production value, released in 2018 July (https://steamdb.info/app/898140/). The corresponding Anatova ransomware sample:

• MD5: 366770ebfd096b69e5017a3e33577a94
• SHA-1: 711f9985ba5a1933351f017022c3ed9ec92cb6da
• SHA-256: ab8a76b64448b943dc96a3e993b6e6b37af27c93738d27ffd1f4c9f96a1b7e69
• Size: 352256 bytes
• Filename: Vnekotoromtsarstve.exe
• Email addresses: anatova4@tutanota.com, anatova9@tutanota.com
• Dash address: XmH5g3tCYkxYyGRYcwS9oAXpkRNYU9EbjC

Mola mola is another obscure game with a minimal playerbase, released in 2019 January (https://steamdb.info/app/984750/). The Anatova malware has the same icon as the game again:

• MD5: 9d844d5480eec1715b18e3f6472618aa
• SHA-1: 9ccc09beca90983815c63bed939673b2d421fc2c
• SHA-256: bd422f912affcf6d0830c13834251634c8b55b5a161c1084deae1f9b5d6830ce
• Size: 597504 bytes
• Email addresses: anatova1@tutanota.com, anatova2@tutanota.com
• Dash address: XktLWbv68EU9XhYBuvrAGtbZHronyJDt1L

Cryptocurrency Addresses

Ransomware usually asks for payment in Bitcoin or Monero. Anatova requests payment in the Dash cryptocurrency (an odd choice), asking for 10 DASH, worth about $700 in 2019 January.

The Dash blockchain is public, allowing us to check transactions to and from the hardcoded cryptocurrency addresses. These are the addresses from the ransom notes of the five Anatova samples we know of:

• XpRvUwSjSeHfJqLePsRfQtCKa1VMwaXh12: Only a total of 0.033 DASH ever received, worth about $3 at the time and $6 today. No outgoing transactions.
• XktLWbv68EU9XhYBuvrAGtbZHronyJDt1L: No transactions (as of 2021 September).
• XmH5g3tCYkxYyGRYcwS9oAXpkRNYU9EbjC: No transactions (as of 2021 September).

Apparently, nobody paid a ransom to these addresses, even though McAfee’s telemetry in 2019 January showed over 300 detections of the ransomware.

Conclusion

Anatova is a competent ransomware with countermeasures against analysis. It’s stealthy because it doesn’t change file extensions, doesn’t display a pop-up window and it finishes quickly because of the 1 MB file size limit. It generates different encryption keys per victim, and takes care to delete network and local backups and erase traces of itself.

Thankfully it wasn’t successful in collecting ransom, it isn’t widespread today and there aren’t any signs pointing to further development of the malware.