Anatova Ransomware (Malware Family)

Anatova Ransomware

VTCollection
Anatova is a ransomware family with the goal of ciphering all the files that it can and then requesting payment from the victim. It will also check if network shares are connected and will encrypt the files on these shares too. The code is also prepared to support modular extensions.
References

2019-01-23 ⋅ Bleeping Computer ⋅ Ionut Ilascu
New Anatova Ransomware Supports Modules for Extra Functionality
Anatova Ransomware
2019-01-22 ⋅ McAfee ⋅ Alexandre Mundo
Happy New Year 2019! Anatova is here!
Anatova Ransomware
Yara Rules

[TLP:WHITE] win_anatova_ransom_auto (20260504 | Detects win.anatova_ransom.)
rule win_anatova_ransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.anatova_ransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f800 0f8454010000 488d85d4fdffff 4989c3 488d058f410000 }
            // n = 5, score = 200
            //   83f800               | mov                 dword ptr [ebp - 0x20], eax
            //   0f8454010000         | dec                 eax
            //   488d85d4fdffff       | mov                 dword ptr [ebp - 0x10], eax
            //   4989c3               | dec                 eax
            //   488d058f410000       | lea                 eax, [0x65ca]

        $sequence_1 = { 4c89d1 4c89da 4c8b1d???????? 41ffd3 e9???????? 48b80000000000000000 c9 }
            // n = 7, score = 200
            //   4c89d1               | mov                 byte ptr [ebp - 0x111], al
            //   4c89da               | mov                 eax, 0xf
            //   4c8b1d????????       |                     
            //   41ffd3               | mov                 byte ptr [ebp - 0x110], al
            //   e9????????           |                     
            //   48b80000000000000000     | mov    eax, 0x2710
            //   c9                   | dec                 ecx

        $sequence_2 = { 4989c2 4c89d1 4c89da 4c8b1d???????? 41ffd3 0fb6c0 488b45a8 }
            // n = 7, score = 200
            //   4989c2               | mov                 ecx, edx
            //   4c89d1               | mov                 eax, dword ptr [ebp - 0x30]
            //   4c89da               | cmp                 eax, 1
            //   4c8b1d????????       |                     
            //   41ffd3               | jge                 0x1f89
            //   0fb6c0               | mov                 eax, dword ptr [ebp - 0x30]
            //   488b45a8             | dec                 eax

        $sequence_3 = { 488d058f410000 4989c2 4c89d1 4c89da 4c8b1d???????? 41ffd3 83f800 }
            // n = 7, score = 200
            //   488d058f410000       | je                  0x19e9
            //   4989c2               | cmp                 eax, 9
            //   4c89d1               | je                  0x1a0e
            //   4c89da               | cmp                 eax, 0xa
            //   4c8b1d????????       |                     
            //   41ffd3               | je                  0x1a33
            //   83f800               | cmp                 eax, 8

        $sequence_4 = { b807000000 884590 b809000000 884591 b80e000000 884592 b803000000 }
            // n = 7, score = 200
            //   b807000000           | dec                 esp
            //   884590               | mov                 ecx, edx
            //   b809000000           | dec                 esp
            //   884591               | mov                 edx, ebx
            //   b80e000000           | inc                 ecx
            //   884592               | call                ebx
            //   b803000000           | dec                 eax

        $sequence_5 = { 488d0513300000 488945a0 488d0517300000 488945a8 }
            // n = 4, score = 200
            //   488d0513300000       | dec                 eax
            //   488945a0             | mov                 dword ptr [ebp - 0x18], eax
            //   488d0517300000       | dec                 eax
            //   488945a8             | lea                 eax, [0x2a66]

        $sequence_6 = { 4c89da e8???????? 488d053ffdffff 488d0dc8a0ffff 29c8 488d4de0 4989c9 }
            // n = 7, score = 200
            //   4c89da               | dec                 eax
            //   e8????????           |                     
            //   488d053ffdffff       | mov                 eax, dword ptr [ebp - 0x18]
            //   488d0dc8a0ffff       | dec                 eax
            //   29c8                 | cmp                 eax, 0
            //   488d4de0             | je                  0x1179
            //   4989c9               | dec                 eax

        $sequence_7 = { b814010000 4889442428 488d056e570000 4889442420 b800000000 4989c1 488d058e580000 }
            // n = 7, score = 200
            //   b814010000           | dec                 eax
            //   4889442428           | add                 ecx, eax
            //   488d056e570000       | movsx               eax, byte ptr [ecx]
            //   4889442420           | xor                 eax, 5
            //   b800000000           | mov                 byte ptr [ecx], al
            //   4989c1               | jmp                 0x1468
            //   488d058e580000       | dec                 eax

        $sequence_8 = { 0fbe01 83f005 8801 ebdb 488b45e8 4989c2 4c89d1 }
            // n = 7, score = 200
            //   0fbe01               | mov                 ebx, eax
            //   83f005               | dec                 eax
            //   8801                 | mov                 eax, dword ptr [ebp - 0x60]
            //   ebdb                 | dec                 ecx
            //   488b45e8             | mov                 edx, eax
            //   4989c2               | dec                 esp
            //   4c89d1               | mov                 ecx, edx

        $sequence_9 = { 4889c1 83c001 8945d4 ebe1 b800000000 4889442428 48b80000000000000000 }
            // n = 7, score = 200
            //   4889c1               | mov                 byte ptr [ebp - 2], al
            //   83c001               | movzx               eax, byte ptr [ebp - 2]
            //   8945d4               | dec                 esp
            //   ebe1                 | mov                 ecx, edx
            //   b800000000           | dec                 eax
            //   4889442428           | cmp                 eax, 0
            //   48b80000000000000000     | je    0x191f

    condition:
        7 of them and filesize < 671744
}
Download all Yara Rules
Anatova Ransomware Propose Change

References

Yara Rules

Anatova Ransomware
