Home Malware Programs Ransomware Anatova Ransomware

Anatova Ransomware

Posted: February 11, 2019

The Anatova Ransomware is a file-locking Trojan that can keep your media from opening by encrypting it. Some variants of this threat may use a non-recoverable attack that corrupts the associated documents, pictures or other files permanently. The victims can recover through any available backups and should use proper anti-malware tools for uninstalling the Anatova Ransomware.

The Call of a Trojan

A recently discovered form of a file-locking Trojan is using popular gaming media for its infection strategy. The Anatova Ransomware, first uncovered by cyber-security researcher and programmer Valthek, is conducting attacks with an unusual preference in its ransoms and questionable encryption methods. The users at risk from its campaign are any software-pirating fans of Cyanide Studio's 'Call of Cthulhu' video game.

The Lovecraftian game is serving as a disguise for the Anatova Ransomware's Windows executable. An unprotected launching of the file provokes the temporary installation of the Trojan, which runs what malware experts estimate as being AES-based encryption against the user's files. While it doesn't add an extension to the names of the files, the Anatova Ransomware does insert internal marker data and ID strings into them. Some cases, also, appear to cause irreversible data corruption instead of reversible corruption, although malware experts can't confirm the precipitating circumstances around this error.

Nearly all file-locker Trojans offer a ransom for the decryption service, and the Anatova Ransomware isn't an exception – even though its decryptor may not work. Its' threat actor is taking payments in the Dash cryptocurrency, which is a very rare option among threats, but not unknown; the GandCrab Ransomware is, perhaps, the most important comparison among the Trojan's competition. As malware experts always recommend, the victims shouldn't pay, if possible, but may find some benefit from the 'sample' free decryption. The Anatova Ransomware's campaign is asking for ransoms of roughly one thousand USD equivalent per installation.

Keeping Your Files from Being a Shadow of Themselve

The Anatova Ransomware uses a standard methodology of erasing the user's Windows default backups, AKA the Windows Shadow Volume Copies, through CMD commands just before finishing its payload. Malware experts also see some instances of the file-locker Trojan's 'cleaning up' itself by removing the installation, albeit while leaving the files encrypted and the ransom note for reading. The users shouldn't assume that their PCs are safe, however, since file-locker Trojans can abuse backdoor-based vulnerabilities and often 'report home' to their threat actors.

Besides hoping that Windows' Shadow Copies remain safe, the victims can protect their work by saving copies to secure backup locations preemptively, such as cloud services or USB sticks. Avoiding software piracy-rife resources and scanning downloads before opening them, also, can help with keeping this threat's campaign from compromising new PCs with its gaming tactic. Most products in the anti-malware industry are removing the Anatova Ransomware adequately and should protect your PC during their standard scans for threats.

The Anatova Ransomware punishes game-happy criminals with what's almost certainly overkill: making them pay an incredible ransom, instead of the price of the game. It's worth thinking about what your files are worth to you before risking them, when there may be no price that you can pay for getting them back to normal especially.

Loading...