Satan Ransomware: An overview of the ransomware’s variants and exploits
- Satan ransomware is capable of self-spreading and it usually propagates via JBoss vulnerability, Weblogic vulnerability, and EternalBlue SMB exploit.
- Satan ransomware resurfaced with a new variant named Lucky, exploiting almost 10 server-side application vulnerabilities that affect both Windows and Linux-based servers.
Satan Ransomware was first promoted via the Satan Ransomware-as-a-Service (RaaS) on January 19, 2017. This ransomware was offered for free, however, users have to register to the RaaS by paying an initial payment. The ransomware is mostly written in C++ and uses TOR/Bitcoin for anonymity.
Satan ransomware is capable of self-spreading and it usually propagates via JBoss vulnerability (CVE-2017-12149), Weblogic vulnerability (CVE-2017-10271), EternalBlue SMB exploit (CVE-2017-0143), and Tomcat web application brute forcing.
Satan ransomware rebranded as DBGer
Satan ransomware developers rebranded their malware as DBGer and this variant was first spotted on June 14, 2018. This variant incorporates Mimikatz tool for lateral movement inside the compromised network.
The ransom note
- Satan encrypts all files in the compromised machine and appends the .dbger extension to the encrypted files.
- After encryption, it drops a ransom note in the infected machine.
- The ransomware then kills Satan.exe from memory but the mother file keeps running for sending data to the attacker-controlled C&C server.
“Some files have been encrypted. Please send (1) bitcoins to my wallet address. If you paid, send the machine code to my email. I will give you key. If there is no payment within three days, we will no longer support decryption. If you exceed the payment time, your data will be open to the public download. We support decrypting the test file. Send three small than 3 MB files to the email address,” the ransom note read.
New variant Lucky
In November 2018, Satan ransomware resurfaced with a new variant named Lucky, exploiting almost 10 server-side application vulnerabilities that affect both Windows and Linux-based servers.
Researchers noted that Lucky spreads itself by exploiting several application vulnerabilities affecting Windows services, Apache Tomcat, JBoss, WebLogic, Springs, and Apache Struts.
This variant encrypts files and appends the ‘.lucky’ extension to the encrypted files.
Satan variants targets financial sector
Researchers spotted two Satan ransomware variants targeting organizations in the financial sector with Monero miners and ransomware.
Satan adds three new exploits to its source code
In May 2019, a new variant of Satan ransomware was spotted leveraging three new vulnerabilities to spread across public and private networks. The new vulnerabilities targeted by this strain are Spring Data REST Patch Request (CVE-2017-8046), ElasticSearch (CVE-2015-1427), and ThinkPHP 5.X Remote Code Execution (no CVE assigned).
Researchers noted that this new variant implements IP address traversal and multi-threading technique for an effective propagation.