Security researchers have seen an increasing use of Anatova ransomware all across the world, but most of the infections have been seen in the United States and a select few European countries. The ransomware makes use of a game or application icon to help the chances of a user downloading it. Ultimately, the malware attempts to encrypt as many files as it can within a system and them demand a ransom to release them back to the owner. Along with this, it can collect sensitive data and plant a backdoor in the system. When it is launched, a check is run to see if the logged-in username matches one in their encrypted username’s list. If a match is found, the cleaning process is deployed and then the ransomware exits. The ransomware then destroys Volume Shadow copies ten times over to completely wipe out the chance of the files being recovered. The files that are targeted are one MB or smaller, which makes the encryption process much quicker. A ransomware note is only attached to a folder where at least one file has been encrypted, making it different from other ransomware.
Analyst Notes
Caution should be used when downloading unfamiliar applications to user systems. Since the ransomware keys off of encrypted usernames, users should change theirs and avoid using duplicates on other platforms.
