Quick Heal Security Labs has come across a new ransomware called ‘Saturn’ currently doing the rounds which upon encryption appends “. Saturn” extension to the encrypted files.
Behaviour of Saturn Ransomware
Upon arrival on the host machine, Saturn ransomware checks whether it is a virtual environment or has any debuggers. If these checks are satisfied, it will not execute. It also checks whether the current system user is an administrator or not.
Fig 1. Snippet showing anti-debugger check.
After successful execution, Saturn fires the below command to disable Windows repair and backup option using Vssadmin.exe. Vssadmin.exe is used to create and manage shadow volume copies on the drive.
After executing the above commands, Saturn starts its encryption activity. Our analysis says that ransomware basically encrypts Non-PE files and below are the extensions which it successfully encrypted while generating the scenario.
‘txt,pptx, ppt, csv, docm,wpd, wps, text, dif, xls, doc, xlsx, xlsm, docx, rtf, xml,pdf, cdr, 1cd, sqlite, wav, mp3,mid, mpa, obj, max, 3dm, 3ds, dbf, accdb, sql, pdb, mdb, wsf, apk, com, gadget, torrent, jpg, jpeg, tiff, tif, png, bmp, mp4, mov, gif, avi, wmv,ico, zip, rar, tar, backup, bak, json, php, cpp, asm, bat, vbs, class, java, jar, asp, lib,crt,pl, pem, vmx, vmdk, vdi, vbox,dat,cfg, config’.
Saturn drops infection marker files and encrypted files has the following pattern.
From the dropped infection marker files,’.html,.txt and.BMP’ have the ransom note whereas ‘.vbs’ has the voice notification alert.
Saturn drops the following ransom notes
In order to pay the ransom, the user needs to visit the website “https://su34pwhpcafeiztt.onion” using a Tor network where it asks for a decryption key and a captcha.
When you log in, it displays the below page which contains the ransom to be paid and the time remaining to pay the ransom. If the ransom is not paid, after a week, the user must pay twice the previous ransom amount.
Saturn usually spreads through spam emails and malicious advertisements. Recently, it has started its own propagation technique named “RaaS: Ransomware- as-a-service”.
In this technique, it lets users create a new Saturn ransomware stub. This stub can be embedded into PE or non-PE files. The propagator of this new ransomware will get 70% of the ransom money and the remaining 30% will be rewarded to the creator.
How Quick Heal protects its users from the Saturn ransomware
Apart from the static detection, Quick Heal’s Behaviour Detection and Anti-Ransomware successfully eliminate this threat.
fig 8 Anti Ransomware fig 9 Behaviour Detection
How to stay away from ransomware
Subject Matter Experts
Shalaka Patil, Priyanka Dhasade, Shashikala Halagond , Shriram Munde| Quick Heal Security Labs