The ransomware, Anatova only surfaced earlier this year but is already recognised as the next biggest threat to users. Although it has appeared on a private peer-to-peer network, fears arise from its ability to transform quickly. This will allow it to go undetected whilst spreading fast within a network. Those at risk are gamers as it hides behind a game application or icon to manipulate the user to deploy the ransomware.
How it works
McAfee’s reported within its finding just how the ransomware is able to work. Upon clicking on the malware, some of the actions Anatova take to encrypt files (using Unicode and Ascii) include using the dynamic link library kernel32.dll and “GetProcAddress” function to create a mutual exclusion object. This will call the “GetLastError” to check the last error. If the check shows that the same mutex exists, it gets further functions from the library such as “Shell32.dll.” It will load extra modules and check all logic units. This malware family is different from the others as it makes encrypted files unusable rather than adding extensions to the encrypted files.
Anatova, in particular, requires users to pay in digital currency to decrypt and reclaim their files. It reportedly demands 10 DASH (around £540) to do so. Using Windows, the malware looks for files containing word documents, mp3 format music files, photos, videos and excel spreadsheet. These are typical files that contain valuable data and are a nuisance to individual users if they are unable to access it.
Other ways hackers can use the ransomware to encrypt systems include through drive-by downloads, email spams and fake updates.
Attacks have occurred in the US and Europe. Former Soviet Union countries, Syria and Iraq were among the countries immune from the ransomware, raising suspicion to the likely places the ransomware originated from. These countries are often listed as countries to avoid attacking. However countries such as India and Morocco were also part of the blacklist, something McAfree were unable to make sense of. The ransomware is able to control what countries to affect. This is done by design as it checks the language of users’ OS system. It does this by identifying the language the user first installed on the system. If it detects languages from the blacklisted countries, the malware will not deploy.
Prevention from attack
As always, users should carry out regular backups of files stored on PCs and sandbox devices where necessary. This is as some sandboxed devices do not allow the ransomware to work.
The saying prevention is better than cure relates here as once a user has been infected, there is a small chance of receiving their files back. Receiving files back undamaged diminish chances further.