{
	"id": "defe7b18-4593-4981-9195-7dd3450e1079",
	"created_at": "2026-04-06T00:15:23.336464Z",
	"updated_at": "2026-04-10T03:20:40.371474Z",
	"deleted_at": null,
	"sha1_hash": "77312edf08947bdc7bc5491ceece4291a81072b2",
	"title": "New Anatova Ransomware Supports Modules for Extra Functionality",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2205301,
	"plain_text": "New Anatova Ransomware Supports Modules for Extra Functionality\r\nBy Ionut Ilascu\r\nPublished: 2019-01-23 · Archived: 2026-04-05 22:48:55 UTC\r\nA new ransomware family popped on the radar of analysts, who see it as a serious threat created by skilled authors that can\r\nturn it into a multifunctional piece of malware.\r\nInfections with Anatova have been reported all over the world, most of them being in the United States, followed by\r\ncountries in Europe (Belgium, Germany, France, the UK).\r\nhttps://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nThe ransomware includes an anti-analysis routine that gets triggered under certain conditions. Once launched, the\r\nransomware asks for admin privileges, runs a few checks and then encrypts files on the computer and then demands 10\r\nDASH coins, currently valued at $700.\r\nModular architecture\r\nMalware researchers from McAfee discovered Anatova in a private peer-to-peer network where it uses an icon for a game or\r\nan application to lure users into downloading it.\r\nThey found that the new ransomware comes with support for additional modules that could extend its capabilities, allowing\r\nit to become an all-in-one malware tool.\r\nThe clue pointing to this possibility was a flag whose value determined the loading of two DLL files named 'extra1.dll' and\r\n'extra2.dll.' \"This might indicate that Anatova is prepared to be modular or to be extended with more functions in the near\r\nfuture,\" the researchers say in a report.\r\nBy making Anatova modular, its authors could use it to include all sorts of capabilities that would take priority before\r\nrunning the file encryption routine. They could collect sensitive information, plant a backdoor, or other types of nasties.\r\nAnti-analysis process\r\nAnatova tried to make the ransomware more resilient to analysis attempts by embedding a memory cleaning procedure that\r\nactivates in certain situations.\r\nAmong the first actions it takes is to check the username of the logged in user. If the name is a match with one on an internal\r\nlist, the ransomware deploys the cleaning process and exits.\r\nAlthough the list of names Anatova checks is short, it may protect it from being checked by less careful malware analysts.\r\nIt includes the following strings: 'LaVirulera,' 'tester,' 'Tester,' 'analyst,' 'Analyst,' 'lab,' 'Lab,' 'Malware,' and 'malware.'\r\nhttps://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/\r\nPage 3 of 6\n\nAccording to McAfee, these names are the default choices when setting up a virtual machine or a sandbox environment or\r\nthey are regularly used by some malware analysts.\r\nAdditional protection techniques are encrypting most of the strings and using different keys for decrypting them and heavy\r\nreliance on dynamic calls.\r\nAnatova seems to be a new player on the ransomware market, as the analyzed sample came with a compilation date of\r\nJanuary 1, 2019.\r\nThe ransomware packs quite a punch for a package of just 32KB, excluding resources. It encrypts files using the Salsa20\r\nalgorithm and extends this process to available network-shares.\r\nTo eliminate file recovery possibilities from the infected machine, Anatova destroys the Volume Shadow copies ten times in\r\na row. For this, it uses the 'vssadmin' utility, which needs admin rights.\r\nEncrypted files get no special extension\r\nTo make the encryption process quick, Anatova targets files that are 1MB in size or smaller. This procedure avoids critical\r\ndirectories and files and does not result in files with a different extension.\r\n\"By setting pointers at the end of the encrypted files, Anatova makes sure that it does not encrypt files that are already\r\nencrypted,\" explain the researchers.\r\nUnlike other ransomware pieces, this one adds the ransom note only to folders where it encrypted at least one file. Also, it\r\nwill not overwrite an existing note, most likely to save time.\r\nhttps://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/\r\nPage 4 of 6\n\nOne peculiarity Lawrence Abrams of BleepingComputer observed while testing the ransomware multiple times was that it\r\ncrashed Windows File Explorer.\r\nAnatova could prove to be a next step in the evolution of the ransomware threat by incorporating functions that take\r\nadvantage of the full spectrum of monetization possibilities. This way, even if the victim does not pay the ransom, the\r\ncriminals will still be able to make some money by stealing private and sensitive information, or selling access to the\r\ncompromised station.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/\r\nPage 5 of 6\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/\r\nhttps://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/"
	],
	"report_names": [
		"new-anatova-ransomware-supports-modules-for-extra-functionality"
	],
	"threat_actors": [],
	"ts_created_at": 1775434523,
	"ts_updated_at": 1775791240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/77312edf08947bdc7bc5491ceece4291a81072b2.pdf",
		"text": "https://archive.orkl.eu/77312edf08947bdc7bc5491ceece4291a81072b2.txt",
		"img": "https://archive.orkl.eu/77312edf08947bdc7bc5491ceece4291a81072b2.jpg"
	}
}