Happy New Year 2019! Anatova is Here! (Jan 22, 2019)
New ransomware family, dubbed “Anatova” after the name of the ransom note, has been identified in a private Peer-to-Peer (P2P) network, according to McAfee researchers. The ransomware was found to avoid infecting users in certain countries by checking the first installed language setting on the machine. This allows the ransomware to avoid conducting malicious activity on machines located in the following countries: all Commonwealth of Independent States (CIS) countries, Egypt, India, Iraq, and Syria. The exclusion of these countries is a potential indicator that the threat actors behind Anatova reside in one of those countries.
Recommendation: At the time of this writing, researchers have not yet observed Anatova in the wild, but they note that the ransomware’s modular capabilities could allow actors to modify the malware and begin more broad distribution attempts. Anatova’s abilities to encrypt machine files and data on mounted drives represent a potential risk to companies who do not have business continuity plans in place. It is paramount to have a comprehensive and tested backup solution in place, in addition to a business continuity policy in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.