LTS Secure Warning: Satan Ransomware Rises To The Surface Again

Satan ransomware is a crypto-virus, alternatively known as Satan Cryptor which makes use of the EternalBlue exploit. The ransomware made it first appearance in the year 2017. Now a newer version of the ransomware has been identified, which attempts to propagate through:

• Tomcat web application brute forcing
• EternalBlue exploit CVE-2017-0143
• Weblogic CVE-2017-10271
• Mimikatz

Technical Details

The initial Trojan file is spread via various medium such as Mail-Spam campaign, freeware software, etc. The malicious files are packed using MPRESS packer. Once the user downloads and executes the file, many public versions of the EternalBlue files are dropped on the victim device.

Later the file scans for all the devices that are present in the victim network with the help of EternalBlue to find out all the devices that are using out-of-date SMB services to increase its impact radius and make more profit.

Finally, it drops the satan.exe on the infected computer and begins encrypting the files. Once done, all the encrypted will have the .dbger extension. A ransom note is then made available on the victim device with the instruction of how to decrypt all your files and the amount of BTC to be paid to receive the deception key. There is a deadline of 3 days for payment, which once passed will make the files no recoverable.

Impact

• Loss of  Productivity
• Downtime in Business Critical operations
• Damage of hostage systems, data, and files

Recommended Actions

• Regularly update your antivirus software & perform malware scans to protect against unknown threats.
• Disable macros while using MS Office.
• Don’t forget to change your system/ server password on a regular basis.
• Do not open any advertisement pages shown on websites without knowing that they are genuine.
• Take system back-ups on regular intervals.