Satan Ransomware emerge again and compromise windows PC via powerful EternalBlue Exploit which is distributed over compromised networks.
Satan Ransomware attacks many users since 2017 which distributed through a various platform such as exploit kit and selling it in Dark web by Ransomware as a Service.
It propagates into the targeted network via Mimikatz- an open source tool and EternalBlue – exploit CVE-2017-0143.
EternalBlue Malware Developed by National Security Agency (NSA) exploiting Windows-based Server Message Block (SMBv1) and to be believed the tool has released by Shadow Brokers hackers Group in April 2017.
Mimikatz which is an open-source tool that permits the attacker to dig out credential information from the Windows.
Satan Ransomware Infection Analysis
The initial Trojan file is packed with MPRESS packer and distributed via a various medium such as Email to the Targeted victim’s machine.
Once Users execute the Trojan it drops the many public version EternalBlue files at ‘C:\Users\All Users\’ location and dropped files also packed with same MPRESS packer.
Later it scans all the systems which are on the same network using EternalBlue to find outdated SMB services.
The main purpose of complete network infection and encrypt the files to maximize profit from an attack on the targeted computer.
According to Quickheal, This version of Satan also drops mmkt.exe (Mimikatz) which is an open-source tool that permits the attacker to dig out credential information from the Windows lsass (Local Security Authority Subsystem Service). Using Mimikatz, it then stores credential of network computers and then it accesses and infects machines on the same network using these credentials.
Finally, it dropped satan.exe on the infected computer and start the encryption process on to the disk once it executed.
Once it complete the encryption process then it rename the all encrypted files extension with .dbger E.g.: gbhackers.jpg to [[email protected]] gbhackers.jpg.dbger.
After completing the encryption it kills Satan.exe from memory but the mother file keeps running for sending data to a Command and Control server.
Finally, it displays the ransom notes that say, “some file has been infected, please send 1 bitcoin to wallet address.”
Once victims paid the ransom amount then they need to send the machine code into attacker via email to get the decryption key.
Also, attacker gives the deadline of 3 days for payment if victims fail to pay the ransom amount then the files will no longer be decrypted.