A new ransomware called as Anatova is disguised as games or applications to fool the victims to download and install it in their computer. It was first appeared on 1st January and its new code indicates that this is the work of experienced malware developers.
This ransomware can morph quickly and has the ability for new evasion techniques and spreading mechanisms that can be easily added. Anatova is encrypted using a pair of RSA keys to lock users out of files which is a method used by some of the most successful ransomware families like GandCrab and Crysis.
The ransomware was exposed by McAfee and their researchers have warned that Anatova has the potential to become a serious issue due to its wide capabilities and the way it is prepared for modular extension. More and more functionalities can be added to it easily.
The victims mostly affected are from the US and are also affecting users in Belgium, Germany, France, the UK and other European countries.
The ransomware is spread easily by peer-to-peer networking, by pretending as free downloads of games and software to tempt the victims into downloading ransomware. There are possibilities that it could be spread using other techniques in future.
When the malware targets a legitimate system, it first creates an RSA Pair of Keys using the crypto API that will cipher all strings, after which the random keys are generated to encrypt the target system and execute the process of fully deploying the ransomware.
Those users infected with Anatova must have received a ransom note to make a payment of 10 Dash cryptocurrency coin (around $700) to decrypt the files. A cryptocurrency wallet address is also provided for making the payment. The user can email the attacker after making the payment to receive the decryption key. Victims are also warned to not try to retrieve the files themselves as the attack is only business and not personal.
It is however not sure who is behind the ransomware but Anatova will terminate if the victim is a member of the Commonwealth of Independent States — made up of former Soviet nations, including Russia. This ransomware also doesn’t infect systems in Syria, Egypt, Morocco, Iraq and India.