Blog
Shriram Munde

New Saturn Ransomware offers ransomware-as-a-service

February 19, 2018
  • 22
    Shares
0
Estimated reading time: 4 minutes

Quick Heal Security Labs has come across a new ransomware called ‘Saturn’ currently doing the rounds which upon encryption appends “. Saturn” extension to the encrypted files.

 Behaviour of Saturn Ransomware

Upon arrival on the host machine, Saturn ransomware checks whether it is a virtual environment or has any debuggers. If these checks are satisfied, it will not execute. It also checks whether the current system user is an administrator or not.

            Fig 1. Snippet showing anti-debugger check.

After successful execution, Saturn fires the below command to disable Windows repair and backup option using Vssadmin.exe. Vssadmin.exe is used to create and manage shadow volume copies on the drive.

  1. “C:\Windows\System32\cmd.exe” /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog”
  2. “C:\Windows\system32\vssadmin.exe, vssadmin.exe delete shadows /all /quiet “

After executing the above commands, Saturn starts its encryption activity. Our analysis says that ransomware basically encrypts Non-PE files and below are the extensions which it successfully encrypted while generating the scenario.

‘txt,pptx, ppt, csv, docm,wpd, wps, text, dif, xls, doc, xlsx, xlsm, docx, rtf, xml,pdf, cdr, 1cd, sqlite, wav, mp3,mid, mpa, obj, max, 3dm, 3ds, dbf, accdb, sql, pdb, mdb, wsf, apk, com, gadget, torrent, jpg, jpeg, tiff, tif, png, bmp, mp4, mov, gif, avi, wmv,ico, zip, rar, tar, backup, bak, json, php, cpp, asm, bat, vbs, class, java, jar, asp, lib,crt,pl, pem, vmx, vmdk, vdi, vbox,dat,cfg, config’.

Saturn drops infection marker files and encrypted files has the following pattern.

  Fig.2

From the dropped infection marker files,’.html,.txt and.BMP’ have the ransom note whereas ‘.vbs’ has the voice notification alert.

Saturn drops the following ransom notes

   Fig 3

        Fig 4

         Fig 5

In order to pay the ransom, the user needs to visit the website “http://su34pwhpcafeiztt.onion” using a Tor network where it asks for a decryption key and a captcha.

               Fig 6

When you log in, it displays the below page which contains the ransom to be paid and the time remaining to pay the ransom. If the ransom is not paid, after a week, the user must pay twice the previous ransom amount.

        Fig 7

Ransomware-as-a-Service

Saturn usually spreads through spam emails and malicious advertisements. Recently, it has started its own propagation technique named “RaaS: Ransomware- as-a-service”.

In this technique, it lets users create a new Saturn ransomware stub. This stub can be embedded into PE or non-PE files. The propagator of this new ransomware will get 70% of the ransom money and the remaining 30% will be rewarded to the creator.

How Quick Heal protects its users from the Saturn ransomware

Apart from the static detection, Quick Heal’s Behaviour Detection and Anti-Ransomware successfully eliminate this threat.

fig 8  Anti Ransomware                                                                 fig 9 Behaviour Detection

 

How to stay away from ransomware

  • Use a multi-layered antivirus in your system which will protect you from real-time threats.
  • Keep your antivirus up-to-date.
  • Update your Operating System regularly as critical patches are released almost every day.
  • Keep your software up-to-date. Older and outdated versions of software have vulnerabilities which are almost always exploited by attackers to infect a system with ransomware and other malware.
  • Never directly connect remote systems to the Internet. Always use a VPN (Virtual Remote Network) to access a network remotely.
  • Do not click on links or download attachments in emails received from unexpected or unknown sources.
  • Take regular data backup and keep it in a secure location.

 

Subject Matter Experts

Shalaka Patil, Priyanka Dhasade, Shashikala Halagond , Shriram Munde| Quick Heal Security Labs

 

 

  • 22
    Shares

Have something to add to this story? Share it in the comments.

Shriram Munde
About Shriram Munde
Shriram has 5 years of experience in cyber threat research and analysis. He is part of Quick Heal’s Proactive Team. His interests include blogging and exploring...
Articles by Shriram Munde »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image