Satan ransomware first occurred in early 2017. And it has resurfaced with a new variant in 2018. We have seen it using new, innovative techniques to spread such as EternalBlue exploit to distribute over compromised networks.
This variant of Satan propagates using the below techniques:
1. The mother file is packed with the MPRESS packer (as shown in the snippet in fig 1) which after execution drops many public version EternalBlue files on the victim’s machine.
Fig 1. The file is packed with Mpress packer
2. These files are dropped at ‘C:\Users\All Users\’ location. These files are also packed with the MPRESS packer.
3. Mother file scans for all the systems which are in the same network using EternalBlue to find outdated SMB services and encrypts files on the host systems to maximize profit from attack.
Fig 2. Dropped EternalBlue files
This version of Satan also drops mmkt.exe (Mimikatz) which is an open-source tool that permits the attacker to dig out credential information from the Windows lsass (Local Security Authority Subsystem Service). Using Mimikatz, it then stores credential of network computers and then it accesses and infects machines on the same network using these credentials.
It had dropped satan.exe on the victim’s machine at C drive and executed it, which is responsible for encryption.
Fig 3. Drop location for satan.exe from mother file.
For storing unique host identifier, it drops a file with name “KSession” at “C:\Windows\Temp\”
Satan renames an encrypted file in following way:
E.g.: Example.jpg to [firstname.lastname@example.org] Example.jpg.dbger
Following are the infection marker files and encrypted files with their pattern.
Fig 4. Encrypted files pattern.
The ransom note of this ransomware looks like this (fig 5)
Fig 5. Ransom note
After encrypting all the data on the victim’s machine, it kills Satan.exe from memory but the mother file keeps running for sending data to a Command and Control server as seen from the following snippet.
Fig6. Connection to CNC server.
How Quick Heal protects its users from the Satan ransomware : –
Quick Heal works on multiple levels to protect its users from this threat. These levels include:
Fig 7. Behavior Detection
Fig 8. Anti-Ransomware Detection
How to stay safe from ransomware attacks
Indicators of compromise:
Subject matter experts
Priyanka Dhasade, Shalaka Patil | Quick Heal Security Labs