Threat Response: Anatova Ransomware

23-01-2019

Yesterday, McAfee released a report regarding Anatova [1] , a new family of ransomware that is currently reported to affect machines in the Netherlands as well [2]. In this message, we want to inform you about the threats and the possible mitigations regarding the Anatova ransomware family

Description

Anatova is a new family of ransomware that is currently spread through peer-to-peer (P2P) networks. It presents itself as a game, tricking users into downloading the malicious file. Like with previous ransomware attacks, the goal of the attackers is to encrypt a user’s files and urging them to pay money in order to get the files decrypted. Anatova is also capable of encrypting files on network shares. At the moment, the fee is set at 10 DASH, which amounts to around €600.

Anatova sets itself apart from other families of ransomware by assigning a unique key to each user, which is used for encryption of files. There is no ‘master key’. Furthermore, the malware has a modular architecture, hinting towards possible extensions in the future. These extensions may consist of various sorts of malware.

Risk

At this moment, it is unclear what entry vectors are being used by Anatova. The only currently known way Anatova can become present on a machine is by actively downloading and running the malware. This implies that the risk is low for most organisations currently, although attack patterns may change. In general, the risk of infection is lower when all machines in a network are running up to date software, and critical services are located behind a correctly set-up firewall. However, when internet-facing machines that are remotely accessible are running vulnerable services, the risk of infection is increased.

Mitigation

The risks accompanying Anatova ransomware as it is currently known can be mitigated as follows:

  • Save backup copies on offline machines.
  • Be aware not to download or open unknown software. This also holds for attachments in emails.
  • Run up-to-date antivirus software. The malware is currently being detected by a great number of antivirus software suites and endpoint protection systems.

Based on earlier forms of ransomware and the indications that Anatova may be extended, the following set of “best practices” should also be considered:

  • Turn off RDP on any publicly available, internet-facing, machine. If this is not possible, only make the service reachable using for example a VPN connection.
  • Make sure to update all software to the most recent version.
  • Do not use default passwords on any machine (FTP, routers, etc.).
  • Turn on two-factor authentication if possible.

If you need additional information you can call us by phone or send us an email.

Phone number: 030-3031244 (during business hours)
E-mail: soc@northwave.nl

Do you have an incident right now? Call our CERT number: 0800-2255 2747

Sources

[1] https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/

[2] https://www.nu.nl/internet/5699333/nieuwe-gijzelsoftware-anatova-maakt-slachtoffers-in-nederland.html

 

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.