New ransomware poses as games and software to trick you into downloading it

Potent new ransomware appears to be written by experienced cyber criminals and displays some of the same abilities as some of the most powerful families around.
Written by Danny Palmer, Senior Writer on

A new form of ransomware is infecting users around the world by disguising itself as applications or games and tricking victims into downloading and launching it on their PCs.

Anatova ransomware first emerged on January 1 this year and the new code behind it suggests that the cyber criminals distributing it are experienced malware developers.

It displays the ability to morph quickly, with the potential for new evasion tactics and spreading mechanisms to be easily added. Anatova also comes equipped with strong encryption, using a pair of RSA keys to lock users out of files — a tactic also used by some of the most successful ransomware families like GandCrab and Crysis.

It's because of these capabilities, and how it's prepared for modular extension, that security researchers at security company McAfee — who uncovered the ransomware — have warned that Anatova is the work of skilled cyber criminals and has the potential to become a serious threat.

"Anatova has the potential to become very dangerous with its modular architecture which means that new functionalities can easily be added. The malware is written by experienced authors that have embedded enough functionalities to be sure that typical methods to overcome ransomware will be ineffective," said Christiaan Beek, lead scientist and principal engineer at McAfee.

Currently, the largest number of victims is in the US, with the ransomware also being spotted in Belgium, Germany, France, the UK and other European countries.

Spread via peer-to-peer networking, Anatova masquerades as free downloads of games and software to lure unsuspecting victims into downloading ransomware — although researchers note that it could be spread using other attack vectors in future.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

After the malware is sure it's targeting a legitimate system, it will create an RSA Pair of Keys using the crypto API that will cipher all strings, before generating random keys to encrypt the target system and executing the process of fully deploying the ransomware.

Those who become infected with Anatova will find themselves presented with a ransom note demanding a payment in cryptocurrency of 10 Dash, around $700, in exchange for unencrypting the files.

A cryptocurrency wallet address is provided for making the payment and the user is told to email the attackers after doing so in order to receive a decryption key. Victims are warned against trying to retrieve the files themselves and that the attack is "nothing personal, only business".


Anatova ransomware note.

Image: McAfee Labs

It's unknown for certain who is behind this new ransomware, but if the victim is a member of the Commonwealth of Independent States — made up of former Soviet nations, including Russia — Anatova will terminate itself.

Anatova also refuses to infect systems in Syria, Egypt, Morocco, Iraq and India, in a move that has befuddled researchers.

SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | download the PDF version    

"It's quite normal to see the CIS countries being excluded from execution and often an indicator that the authors might be originating from one of these countries," said Alexandre Mundo, senior malware analyst in McAfee's advanced threat research team.

"In this case it was surprising to see the other countries being mentioned. We do not have a clear hypothesis on why these countries in particular are excluded," he added.


Editorial standards