Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New 5ss5c Ransomware Likely Readied to Replace Satan

The threat actor or group behind the Satan ransomware — and probably DBGer and Lucky and possibly Iron — seems to be engaged in a new version or evolution of Satan: 5ss5c.

The threat actor or group behind the Satan ransomware — and probably DBGer and Lucky and possibly Iron — seems to be engaged in a new version or evolution of Satan: 5ss5c.

According to malware researcher/analyst Bart Blaze, the actor has been working on this new product since at least November 2019. It is thought to be a work in progress because of the presence of a second spreader module within the code, named poc.exe. “This suggest they may be experimenting (poc often is an acronym for proof of concept),” comments Blaze.

There are several clues within 5ss5c linking the ransomware to Satan. Satan had been regularly developed and updated with new functionalities and techniques — but this process stopped around the summer of 2019. The appearance of 5ss5c in November is likely to be related.

Similarities with Satan include the launch process via a downloader, the use of EternalBlue for spreading, several Satan artefacts, and tactics, techniques and procedures (TTPs) that align with both Satan and DBGer (and slightly overlap with Iron). An example of the latter is the use of multiple packers to protect the droppers and payloads.

New, however, is the use of Enigma VirtualBox to pack the additional poc.exe spreader. The file is dropped to C:ProgramDatapoc.exe, and runs the command:

cd /D C:ProgramData&star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload C:ProgramDatadown64.dll –TargetIp 

This is remarkably similar to a Satan command:

cmd /c cd /D C:UsersAlluse~1&blue.exe –TargetIp & star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload down64.dll –TargetIp

Advertisement. Scroll to continue reading.

Like Satan, 5ss5c has an exclusion list of files it does not encrypt. This is slightly expanded. For example, while Satan and DBGer both excluded some Qih00 360-related files, this has been expanded with the addition of 360download and 360safe files. The list of files that will be encrypted is, however, different to that of the earlier ransomwares.

The ransomware generates a ransom note in Chinese. It demands 1 bitcoin for decryption and threatens that the demand will double after 48 hours.There is, however, no indication of where the payment should be sent. Instead, the actor’s email address (5ss5c(at)mail.ru) is prepended to the file name of each encrypted file.

It may be that the lack of specificity in the payment instructions is by design (at least at this stage of the ransomware’s development). Satan was available as ransomware-as-a-service, and it is possible that the new 5ss5c is taking the same route.

Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal 

Related: New Unlock26 Ransomware and RaaS Portal Discovered 

Related: GandCrab Ransomware Authors Announce Shut Down 

Related: Encryptor RaaS Shuts Down Without Releasing Master Key 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.