An Inside Look at a Ransom Note

Satana Demands Payout and Warns Against Recovery Attempts

WarningWith ransomware attacks making headlines nearly every day in 2016, it seems that IT security professionals and the cybercriminals that try to outsmart them are in a constant battle for lead position—and lately, it seems that the cybercriminals are winning.

Recently, yet another strain of ransomware was discovered in its early sample form. Satana, (“Satan” in Italian) is a Trojan that encrypts files and corrupts the Windows’ Master Boot Record (MBR), which halts the Windows boot process and injects its own code into the MBR. Unlike sister-malware Petya which relies on help from tagalong Trojan Mischa, Satana doesn’t mess around with the Master File Table (MFT), it goes straight for the jugular—and manages to conduct both processes of injecting code and encrypting PC files all by itself. So, Satana seems to be an evolved version of Petya in that it doesn’t need anyone’s help—except for the human on the other end of the reboot function—in order to infect and encrypt a user’s computer.

Once Satana has successfully installed itself on its victim’s computer, it will launch its ransom note, which reads, in part:

“You had bad luck. There was crypting of all your files in a FS bootkit virus<!SATANA!> To decrypt you need to send on this E-mail: orjovaja@mail.com your private code: C98F4DEC6A….”

…and so on. Eventually, the ransom note gets to the point where it instructs victims to pay a bitcoin equivalent to $340. The note, which blasts itself in bright red text against a sinister black background, ends with a call to action that tells users where to enter their decryption code to regain access to their files. The malware signs off with, “Good luck! May God help you! <!SATANA!>”

Kaspersky Lab has dubbed the Russian-linked Satana the “ransomware from hell.” According to Kaspersky Lab, researchers have identified six email addresses that serve as contact information for Satana’s victims, who must request payment and other instructions in order to receive the decryption key to unlock their files.

In order to fulfill the ransom and unlock encrypted files, the cybercriminals behind Satana demand that victims pay around 0.5 bitcoins, or approximately $340.

For the advanced and technically apt victims of Satana, there may be a light at the end of the tunnel. Experts have revealed that there is a way to at least partly bypass the MBR to gain access to the infected operating system and restore it—but be forewarned, this solution is only meant for experienced victims with very advanced technical skills.

Problematically, while you may be able to restore your OS, researchers have yet to figure out a solution that will give Satana victims access to their encrypted files. It seems that, at least for now, victims have only one option in order to decrypt their stolen files—and that is to pay up.

The good news, for the time being, is that Satana is currently in its infancy stages; it is not widespread, and researchers have uncovered errors and weaknesses in its code. On the flip side, it appears that Satana is positioned to evolve over time, and with its comprehensive method of attack, it has the potential to become the next major threat in the ransomware world.

To stay vigilant against ransomware threats, remember to always:

  1. Backup your data on a regular basis.
  2. Don’t open suspicious email attachments.
  3. Use trustworthy anti-virus software and keep it updated.
  4. Consult a professional if you need to bolster your security or you suspect you’ve been compromised.

OffSite IT your local IT security solutions provider, keeping your business’ IT assets safe from ransomware, hackers, and other cybersecurity threats. For the most advanced IT security solutions in business, contact us at (866) 828--6674 or send us an email at info@offsiteIT.com for more information.

Alexssa

I first hired John directly as an employee back in 1999.
He was an excellent addition to a growing team at a small technology company. Subsequent to the sale of the company, John branched out on his own and started an IT consulting firm. Since that time, I have not used anyone else. John is capable, personable, has integrity and is also very likable. I would recommend him without reservation.”

  Kevin DiCerbo   

Connect With OffSite IT

    Locations
    • Los Angeles / Orange County 21520 Yorba Linda Blvd. Suite G417 Yorba Linda, CA 92887
    • Chicago 6912 Main Street Suite 214 Downers Grove, IL 60516
    • 1-866-828_-6674 info@offsiteIT.com