Satana is a newly discovered ransomware trojan that wages a two-pronged attack on victims – it encrypts the user’s files and also prevents their machine from loading Windows, demanding a ransom to unlock and decrypt the computer. Satana is considered copycat ransomware, as it combines the attack methods of two well-known ransomware trojans, Petya and Mischa, with a few tricks of its own.
‘Satana’ is Italian for ‘the Devil’, and this ransomware’s behavior is pretty devilish. The attack comes in two distinct stages:
First, Satana launches a user account control (UAC) notification, which pops up repeatedly until the user clicks ‘Yes.’ Satana then stores itself in the Appdata\Local\Temp directory and gets busy profiling the infected computer system's hardware information. It uses this data to generate an AES encryption key that it uses to encrypt the victim's files.
Targeted file extensions for encryption include:
.bak .doc .jpg .jpe .txt .tex .dbf .db .xls .doc .jpg .jpe .txt .tex .dbf .db .xls .cry .xml .vsd .pdf .csv .bmp .tif .1cd .tax .gif .gbr .png .mdb .mdf .sdf .dwg .dxf .dgn .stl .gho .v2i .3ds .ma .ppt .acc .vpd .odt .ods .rar .zip .7z .cpp .pas .asm
Figure 1: UAC Popup Launched by Satana. Clicking ‘No’ Makes the Popup Appear Again. Clicking ‘Yes’ Executes Stage 2 of the Ransomware.
Next, Satana behaves in a similar fashion to the virulent ransomware Petya, which appeared in March 2015. It uses a portable executable (PE) file, otherwise known as a dropper, to write low-level malicious code at the start of the disk, overwriting the master boot record (MBR). Satana copies the original MBR and stores it in encrypted form, replacing it entirely with its own code. This leaves the infected machine unable to load the OS, a process known as bootlocking.
Satana then takes a leaf from Mischa’s book and begins silently encrypting the user’s personal files, one by one. Unlike Petya and Mischa, however, infection doesn’t cause the computer to automatically hang or restart (we believe this may change as the ransomware evolves). Instead, Satana completes its encryption work and then lurks dormant in the system until the next manual reboot by the user, which triggers stage two of its attack.
Upon reboot, the stricken computer will hang in ‘The Black Screen of Death’ (BkSOD), unable to load its own operating system:
Figure 2: Black Screen of Death Caused by Satana Infection - Seen Here on a Virtual Machine
What is the MBR?
The code of the MBR is contained in the hard disk’s first sectors, and in essence provides a ‘road map’ of the hard drive that lets the computer know where to find the OS. If the MBR is damaged or corrupted, the machine loses this map and can’t find the OS in order to load Windows.
Following the BkSOD, Santana delivers a ransom note, which appears as a pop-up message in red text on the infected computer. This note is also delivered in the form of Notepad text files named ‘!the SATANA!.txt’, which are dropped into each directory where files were encrypted. Once the machine is rebooted for the first time following infection, users can only access Windows by using the password that is obtained by paying the ransom. If the ransom is paid and the password entered, Satana (in the best-case scenario) unlocks the MBR and decrypts the user's files.
The ransom note contains a demand for 0.5 bitcoin (BTC), which is around $300 at today’s exchange rate (as of August 10th, 2016).
The Satana ransom note states:
“You had bad luck. There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need to send on this E-mail: monika343@ausi(dot)com your private code (code omitted) and pay on a Bitcoin wallet: (account info omitted) total 0,5 btc. After that during 1-2 days the software will be sent to you – decryptor – and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is only possible on your PC! Recovery is possible during 7 days, after which the program – decryptor – cannot ask for the necessary signature from a public certificate server. Please contact via E-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files. If you do not appreciate your files we recommend you format all your discs and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind you once again – it is all serious! Do not touch the configuration of your computer! How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press “ENTER” to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>”
Figure 3: Satana Ransom Note Delivered After the BkSOD
Recovering a Machine Posessed - Sorry, Infected - by Satana
Satana is newly developed ransomware, and as such, may not yet be in its final mature form. This makes recovery tricky as the malware is still evolving. Although the current version appears to be flawed, according to security researchers, it may evolve over time to become a more widespread and serious threat.
The fact that Satana disables Windows startup may present users with a quandary. If a second, non-infected machine or smartphone is not readily available within the imposed time limit, users cannot buy bitcoin to pay the ransom required to decrypt their original machine. They are stuck. While this will not present a problem to some, users hit with Satana in rural or other isolated locations may find themselves with a dead computer and no access to a second ‘clean’ machine in order to restore access to the first.
If the user doesn’t wish to pay the ransom, Windows recovery tools may be the first option to try, but non-technical users may struggle when working with manual system tools such as the boot recovery tool and TestDisk. If a user does not know what they are doing, further damage such as accidental deletion of critical system files may be done to the machine.
It is highly recommended that users unfamiliar with using manual PC recovery tools use a professional computer repair and recovery service if they wish to attempt to access their computer without paying the ransom. Reinstalling Windows from the original Windows Recovery Disc may be the only 'user friendly' option left, but users must be aware that doing so will wipe all of their personal files and documents. And even if the MBR is fixed and access to Windows is restored, the user’s files will still be encrypted.
At present, there are a slim set of options available to those hit by Satana. The best defense against this and similar ransomware will always be to keep backup copies of everything on an unplugged and non-networked external hard drive, and to install a quality endpoint protection product to guard against malware like Satana executing in the first place.
If you are currently infected and do not wish to try any of these options, keep the infected machine switched off and unplugged from the Internet, and simply wait. The encryption key may become available publicly via independent security researchers at a later date, or may even be released by rival malware authors to sabotage Satana, a growing trend among fiercely competing cybercriminals.
To Pay or Not To Pay?
Cybercrime agencies such as the F.B.I. at present do not endorse paying any ransom demanded by malware authors. The thinking behind this is that paying the ransom simply encourages the cybercriminals. However, users infected with new ransomware which hasn’t yet been ‘cracked’ by private security agencies may find themselves with no other choice if they wish to attempt to regain access to their data.
NOTE: Victims who pay the ransom still have no guarantee whatsoever the decryption password will work and that they will get their files back.
CylancePROTECT vs. Satana Ransomware
We tested our endpoint protection product CylancePROTECT® against Satana binaries. Our artificial intelligence based mathematical model was easily able to prevent the execution of Satana, detecting and quarantining the ransomware in real time, before it could execute. We tested multiple binaries, and Satana was no match for CylancePROTECT.
Figure 4: CylancePROTECT vs. Satana Ransomware
Indicators of Compromise (IoCs)
Satana collects information about the infected host and user, syphons off intellectual data and uploads all of this data to a server at the address:
ASN: AS7738 Telemar Norte Leste S.A.
Believe the math!!
Convinced that the next generation of endpoint security is right for your organization? Contact a Cylance expert to get started!