New Saturn Ransomware offers ransomware-as-a-service
Quick Heal Security Labs has come across a new ransomware called ‘Saturn’ currently doing the rounds which upon encryption appends “. Saturn” extension to the encrypted files.
Behaviour of Saturn Ransomware
Upon arrival on the host machine, Saturn ransomware checks whether it is a virtual environment or has any debuggers. If these checks are satisfied, it will not execute. It also checks whether the current system user is an administrator or not.
Fig 1. Snippet showing anti-debugger check.
After successful execution, Saturn fires the below command to disable Windows repair and backup option using Vssadmin.exe. Vssadmin.exe is used to create and manage shadow volume copies on the drive.
- “C:\Windows\System32\cmd.exe” /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog”
- “C:\Windows\system32\vssadmin.exe, vssadmin.exe delete shadows /all /quiet “
After executing the above commands, Saturn starts its encryption activity. Our analysis says that ransomware basically encrypts Non-PE files and below are the extensions which it successfully encrypted while generating the scenario.
‘txt,pptx, ppt, csv, docm,wpd, wps, text, dif, xls, doc, xlsx, xlsm, docx, rtf, xml,pdf, cdr, 1cd, sqlite, wav, mp3,mid, mpa, obj, max, 3dm, 3ds, dbf, accdb, sql, pdb, mdb, wsf, apk, com, gadget, torrent, jpg, jpeg, tiff, tif, png, bmp, mp4, mov, gif, avi, wmv,ico, zip, rar, tar, backup, bak, json, php, cpp, asm, bat, vbs, class, java, jar, asp, lib,crt,pl, pem, vmx, vmdk, vdi, vbox,dat,cfg, config’.
Saturn drops infection marker files and encrypted files has the following pattern.
Fig.2
From the dropped infection marker files,’.html,.txt and.BMP’ have the ransom note whereas ‘.vbs’ has the voice notification alert.
Saturn drops the following ransom notes
Fig 3
Fig 4
Fig 5
In order to pay the ransom, the user needs to visit the website “https://su34pwhpcafeiztt.onion” using a Tor network where it asks for a decryption key and a captcha.
Fig 6
When you log in, it displays the below page which contains the ransom to be paid and the time remaining to pay the ransom. If the ransom is not paid, after a week, the user must pay twice the previous ransom amount.
Fig 7
Ransomware-as-a-Service
Saturn usually spreads through spam emails and malicious advertisements. Recently, it has started its own propagation technique named “RaaS: Ransomware- as-a-service”.
In this technique, it lets users create a new Saturn ransomware stub. This stub can be embedded into PE or non-PE files. The propagator of this new ransomware will get 70% of the ransom money and the remaining 30% will be rewarded to the creator.
How Quick Heal protects its users from the Saturn ransomware
Apart from the static detection, Quick Heal’s Behaviour Detection and Anti-Ransomware successfully eliminate this threat.
fig 8 Anti Ransomware fig 9 Behaviour Detection
How to stay away from ransomware
- Use a multi-layered antivirus in your system which will protect you from real-time threats.
- Keep your antivirus up-to-date.
- Update your Operating System regularly as critical patches are released almost every day.
- Keep your software up-to-date. Older and outdated versions of software have vulnerabilities which are almost always exploited by attackers to infect a system with ransomware and other malware.
- Never directly connect remote systems to the Internet. Always use a VPN (Virtual Remote Network) to access a network remotely.
- Do not click on links or download attachments in emails received from unexpected or unknown sources.
- Take regular data backup and keep it in a secure location.
Subject Matter Experts
Shalaka Patil, Priyanka Dhasade, Shashikala Halagond , Shriram Munde| Quick Heal Security Labs
No Comments, Be The First!