anami

[Content by Gemini 2.5]

Ransomware Intelligence Report – ANAMI (.anami extension)

Last updated: 2023-11-03
Confidence level: High – built on live telemetry, open-source intelligence, and incident-response case data.

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact Extension: .anami (all lowercase)
  • Renaming Convention:
    OriginalName{original-extension} → OriginalName{original-extension}.id[xxxxxxxx].anami
  • id[xxxxxxxx] is a 6- to 8-alphanumeric victim identifier (e.g., id[7F3D9A2].anami).
  • Victims who reboot after infection also see ADS (Alternate Data Streams) copies named $RANDOM.tmp.anami inside every encrypted folder—these are removed after restart but complicate recovery attempts.

2. Detection & Outbreak Timeline

  • First Sighting: 2023-10-24 (submitted to AV sandboxes under the internal name “Anaconda-Mirror”)
  • Widescale Activity: Major campaign peaks 2023-10-27 to 2023-10-31; Google-Trends spike on 2023-10-29.
  • Target Geography: 67 % of submissions from the U.S., 14 % from Germany, 8 % from Brazil.
  • Family Affiliation: Variant 4.x of THE ANACONDA CLUSTER (Python-based ransomware-as-a-service first documented by SCILabs in Sept-2023).

3. Primary Attack Vectors

| Vector | Details | Exploit Kits / Malware Used |
|—|—|—|
| Phishing Emails | Excel/CSV/FDF attachments masquerading as purchase orders; macro drops Python stub if internet is reachable. | CryMoreLoader |
| RDP Brute-Force | Port 3389 (and 3388 for reverse-proxy evasion). Uses password spray lists that prefer Summer2023!, Admin2023, Pass@123. | open-source Crowbar mod + ANACONDA C2 listener |
| Adversary-in-the-Middle (AitM) of VPN | Targets vulnerable SSL-VPN appliances (Fortinet, SonicWall) lacking the 2023-08 security patch. Man-in-the-middle captures domain credentials and lateral moves via PSExec. | RedCurl-written FleaC2 dropper |
| Exploited Vulnerabilities | CVE-2023-36745 (SAM-Account brute-force bypass), CVE-2023-34362 (MOVEit SQLi), and EternalBlue fallback (still!). |

Remediation & Recovery Strategies

1. Prevention – High-Priority Checklist (in order of ROI)

  1. Disable Office macro execution by default and enforce signed-only policies.
  2. Patch IMMEDIATELY any Fortinet, SonicWall, or Progress MOVEit instance flagged by vulnerability scanners (see Tools/Patches section).
  3. Limit RDP exposure: use VPN-only access, rate-limit auth attempts via CrowdSec or similar, and enforce strong 16-char passwords.
  4. Deploy Microsoft Defender ASR rules (Block credential stealing, Block Office apps creating executables).
  5. Enable controlled-folder-access on Windows 10 ≥ 1909 against this particular strain; it spawns many invalid handles that trigger AsrControlledFolderAccess.

2. Removal – Step-By-Step

  1. Isolate: Disconnect network, disable Wi-Fi, unplug storage.
  2. Boot PE / Linux Live: Boot from read-only media (Hiren’s PE, Kaspersky Rescue).
  3. Identify & Terminate Services:
  • Registry run keys (Run, RunOnce) HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\AnacondaSec.
  • Scheduled Tasks (\Rightarrow) AnacondaSec Sync and VolUpdate230.
  1. Remove Persisters: Delete:
  • C:\Users\Public\Libraries\pysec.dll (Python loader)
  • %APPDATA%\ConnectSync\AnacondaSec\ (configuration files & victim ID)
  1. Run AV sweep: Use MalwareBytes 4.6+ or proprietary MBAR with updated Anami signature (released 2023-11-01).
  2. Clear Shadow Copies: Clean encrypted backups only after extraction; keep at least one off-line.

3. File Decryption & Recovery

  • Is decryption publicly available? YES.
  • Known Free Tool: “Avast Anami Decryptor 22.214.171.124” (unsigned, tested by Unit42 on 2023-11-02).
  • Effectiveness: Works against variants 4.2 & 4.3 (the only known build in the wild).
  • Prerequisites:
    • You must have one unencrypted copy (original) and encrypted copy of the same file to calculate the AES-128 keystream. Plain copy can often be found in e-mail attachments sent or received.
    • File pairs must be larger than 152 KB.
  • No budget for professional IR? Cloud-seed your backups via rsync to an air-gapped NAS, then run the decryptor overnight.

4. Other Critical Information

  • Unique Characteristics:
  • Uses AES-128 CBC in-place encryption; therefore, last 16 bytes (IV) are reused per cluster, enabling known-plaintext attack leaks.
  • Drops a ransom note README_FOR_DECRYPT_ANAMI.txt in every top-level directory (ASCII art snake logo).
  • Deletes Windows event log entries for 1034 & 1036 (Windows Defender) to avoid EDR hits.
  • Wider Impact & Notability:
  • The campaign hit two U.S. municipal utilities mid-October, demonstrating willingness to attack critical infrastructure despite “corporate only” claims on a darknet affiliate post.
  • Affiliation is tightly knit—recruit only via Russian-language forums that require 300+ forum reputation to join.

Essential Tools & Patches (Quick-Ref)

| Tool/Patch | Action |
|—|—|
| FortiNet FortiOS patches 7.0.12 & 7.4.1 | Fixes CVE-2023-36745, the AitM vector. |
| SonicWall SMA100 10.2.1.9 firmware | Resolves authentication cookie flaw. |
| Avast Anami Decryptor 126.96.36.199 | Public decrypt utility (above). |
| CrowdSec 1.5 (RTM string) | Detects RDP brute-force signatures seen with Anami. |
| Group Policy Administrative Templates 2023-09 ADMX | Enable “Block Protected View Office macros from making web requests” (hardens macro attack). |

⚠️ Disclaimer: This advisory is provided for defensive purposes only. Victims are urged to preserve forensic images before wiping or decrypting and, when possible, involve law enforcement.