Satan ransomware raises its head again!

Satan ransomware first occurred in early 2017. And it has resurfaced with a new variant in 2018. We have seen it using new, innovative techniques to spread such as EternalBlue exploit to distribute over compromised networks.

 

This variant of Satan propagates using the below techniques:

• Mimikatz
• EternalBlue – exploit CVE-2017-0143

 

Technical Analysis

1. The mother file is packed with the MPRESS packer (as shown in the snippet in fig 1) which after execution drops many public version EternalBlue files on the victim’s machine.

Fig 1. The file is packed with Mpress packer

2. These files are dropped at ‘C:\Users\All Users\’ location. These files are also packed with the MPRESS packer.

3. Mother file scans for all the systems which are in the same network using EternalBlue to find outdated SMB services and encrypts files on the host systems to maximize profit from attack.

Fig 2. Dropped EternalBlue files

 

 

This version of Satan also drops mmkt.exe (Mimikatz) which is an open-source tool that permits the attacker to dig out credential information from the Windows lsass (Local Security Authority Subsystem Service). Using Mimikatz, it then stores credential of network computers and then it accesses and infects machines on the same network using these credentials.

It had dropped satan.exe on the victim’s machine at C drive and executed it, which is responsible for encryption.

Fig 3. Drop location for satan.exe from mother file.

For storing unique host identifier, it drops a file with name “KSession” at “C:\Windows\Temp\”

Satan renames an encrypted file in following way:

E.g.: Example.jpg to [dbger@protonmail.com] Example.jpg.dbger

Following are the infection marker files and encrypted files with their pattern.

Fig 4. Encrypted files pattern.

The ransom note of this ransomware looks like this (fig 5)

Fig 5. Ransom note

After encrypting all the data on the victim’s machine, it kills Satan.exe from memory but the mother file keeps running for sending data to a Command and Control server as seen from the following snippet.

Fig6. Connection to CNC server.

 

How Quick Heal protects its users from the Satan ransomware : –

Quick Heal works on multiple levels to protect its users from this threat. These levels include:

• Virus Protection
• Behavior-based Detection
• Anti-Ransomware

 Fig 7. Behavior Detection

 Fig 8. Anti-Ransomware Detection

 

How to stay safe from ransomware attacks

• Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data.
• Never install any freeware or cracked versions of any software.
• Do not open any advertisement pages shown on websites without knowing that they are genuine.
• Disable macros while using MS Office.
• Always install and update your anti-virus to protect your system from unknown threats.

 

Indicators of compromise:

• MD5: 6E44ABB2B449DD0BCADF8B0316590D0E

Subject matter experts

Priyanka Dhasade, Shalaka Patil | Quick Heal Security Labs