Neural Nuggets: Model Musings on Anatova

As 2018 comes to an end, one of the key questions being asked relative to the threat landscape in 2019 is which threats will have a significant impact this year. With only a few weeks into the new year, Ransomware seems to be taking the lead. A new Ransomware threat family, dubbed Anatova, has emerged, targeting users in English speaking countries. Based on analysis of Anatova samples, this ransomware demonstrates multiple mechanisms–modular design and sophisticated encryption algorithm–that rival the sophistication levels of other mature Ransomware families.

At this moment in time, Anatova is being distributed via file sharing platforms, targeting consumers using the guise of popular game titles such as “The Call of Cthulhu”. However, due to the modular nature of this family, it is possible that the threat actors behind Anatova will pivot and adapt the threat to target enterprises directly.

Our analysis shows that Anatova takes a smash and grab approach to hijacking files; once executed, the malware encrypts as many files as possible on the infected system by targeting files that are less than 1 MB in size before presenting the ransomware demand. If executed in an enterprise environment, the mechanism used by Anatova could wreak havoc on enterprise data.

Threat Dynamics

Blue Hexagon proactively detected the Anatova threat family and its various components with deep learning models that were created months before the threat was named in the wild. We believe that the threat was in active distribution starting the second week of January. Several files related to the initial campaign were observed as depicted in Figure 1. Interestingly, most of the threat characteristics were similar except for changes in the resource section in the threat executables. However this slight mutation in the threat structure seems to be effective in evasion.

Timeline of outbreak for Anatova based on Blue Hexagon analysis
Figure 1: Timeline of outbreak for Anatova on January 16th. Y-axis shows number of detections on first analysis versus samples(X-axis)

With each sample of Anatova released, the detection coverage on Virustotal showed that only 3-4% of vendor solutions detected the threat. What was more striking was that as each sample came out, the detection coverage did not improve. Even as the original sample was getting publicity, that knowledge did not improve the detection of the samples introduced later in the day.

While the timeline and initial detection is interesting, another dimension of the threat dynamics is how the detections change over time and whether the trends are the same for different samples. This is shown in Figure 2.

Threat detection profile of two Anatova variants over time.
Figure 2: Threat detection profile of two Anatova variants over time

Figure 2 plots the Threat Detection Profile (TDP) of the first and fourth sample of Anatova that were introduced several hours apart. The graph plots the detection rates from January 16th through January 25th. Several interesting observations can be made from this graph:

  • Though the samples are introduced several hours apart, they both start with the same low TDP of ~5%, i.e the first sample does not help with detection of the fourth sample.
  • As time progresses, the fourth sample continues to have a low detection rate even as the threat detection rate of the first sample is increasing over time as more signatures are added to vendor solutions. Clearly, the fourth Anatova sample has proven more successful at evading detection.
  • TDP only reaches some sort of majority consensus after multiple days have elapsed from the onset of the original threat. Finally, even after a week, the final TDP stays only at around 70%.

This means that some Anatova samples were different enough that solutions that could detect one sample did not work for others. Additionally, even a week after it was released, 30% of threat products on the market still didn’t detect it.

How Deep Learning Models Reasoned About Anatova

Each sample demonstrated evasion tactics that complicates traditional threat detection approach so we looked into how deep learning was performing as each threat was coming out in the wild.

Figure 3 below shows pairwise similarity (scaled 0 to 1) among 15 samples of different threat types including 5 Anatova samples (bottom right 10-14). Each point on the x and y axis represents a particular threat sample. A sample’s similarity to itself is by definition high so the diagonal of the diagram shows white indicating maximum similarity. Shades of blue indicate the level of dissimilarity; darker denotes increased dissimilarity.

5 anatova samples compared for pairwise similarity.
Figure 3: Five Anatova samples compared for pairwise similarity

The deep learning models reasoned that all samples of the Anatova threat were highly similar to each other in the embedding space and hence detections were possible in real time. Also of note was the fact that Anatova was significantly dissimilar to other famous threats (see columns 10-14, row 1-10) with varying shades of blue measuring the dissimilarity. This clearly shows how the characteristic of the new threats is different from the past, but deep learning models are able to reason about their mal-intent.

We have identified additional samples that are currently under investigation. Additional details or information on this threat family can be obtained by contacting Blue Hexagon Labs.