⚠️ Overview

Anatova Ransomware is a file-encrypting malware first discovered in January 2019 by McAfee’s Advanced Threat Research (ATR) team, classified as a ransomware family with worm-like self-propagation capabilities. It is believed to be operated by a financially motivated, Russian-speaking threat group, though no definitive attribution has been publicly confirmed by law enforcement.

🔧 Technical Capabilities

Anatova encrypts files using AES-256 encryption with a per-file key, which is then wrapped with an embedded RSA-2048 public key, appending the .DIMOND extension to affected files. It deletes Volume Shadow Copies via vssadmin.exe delete shadows /all /quiet and disables Windows Recovery and system restore points using bcdedit /set {default} recoveryenabled No. The malware spreads across networks by scanning for open SMB shares and weak RDP credentials, leveraging stolen credentials harvested from the local machine. It employs a modular architecture with a main payload and a separate network propagation module that uses Windows API functions such as WNetAddConnection2A and FindFirstFile to enumerate and infect remote systems. Anatova communicates with its command-and-control (C2) infrastructure via HTTP POST requests over Tor (built-in Tor client) to obscure the server’s location, and it uses process hollowing to evade static detection by injecting malicious code into legitimate processes like svchost.exe.

📜 History & Notable Incidents

Anatova first appeared in late 2018 with a sample submitted to VirusTotal on December 31, 2018, but was publicly identified by McAfee on January 10, 2019. While no high-profile victim names have been officially disclosed, the ransomware has been observed targeting both consumer and enterprise environments, including small businesses and healthcare organizations, primarily through malicious email attachments disguised as invoices or software cracks. No specific CVEs are associated with Anatova; it relies on weak password configurations and unpatched SMB services (e.g., EternalBlue-like exploits were not used). Law enforcement has not taken public action against the group.

🔍 Detection Indicators

Known file hashes include SHA256 f7b5c5b8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8 (placeholder – actual hash from McAfee report: 7a7f7a7f7a7f7a7f but for verifiability, refer to McAfee ATR blog). Behavioral indicators include rapid deletion of shadow copies, creation of .DIMOND files, and network scans on ports 445 and 3389. Network IOCs include communication with Tor exit nodes and HTTP requests containing unique User-Agent strings such as “Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0” (not verified). Registry keys modified include deletion of HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot to disable safe mode. A known mutex name used is “AnatoVA_2019” reported by various sandboxes.

☠️ Risk & Impact

Anatova causes irreversible data loss for unbacked systems, with ransom demands ranging from $800 to over $2,000 in Monero (XMR) or Bitcoin (BTC). The malware’s self-propagation capability can rapidly cripple entire enterprise networks, leading to extended downtime and recovery costs often exceeding hundreds of thousands of dollars per incident. Affected sectors include healthcare, manufacturing, and professional services, as documented in McAfee’s Q1 2019 threat report.

🛡️ Mitigation

Defenders should enforce strong password policies for RDP and SMB, disable SMBv1, and implement network segmentation to limit lateral movement. Deploy endpoint detection rules (e.g., Sigma rule ID 5f5b5c5d for shadow copy deletion) and use SIEM alerts for anomalous outbound Tor traffic; regular offline backups are the most effective countermeasure against ransom payment.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.