Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New 5ss5c Ransomware Likely Readied to Replace Satan

The threat actor or group behind the Satan ransomware — and probably DBGer and Lucky and possibly Iron — seems to be engaged in a new version or evolution of Satan: 5ss5c.

The threat actor or group behind the Satan ransomware — and probably DBGer and Lucky and possibly Iron — seems to be engaged in a new version or evolution of Satan: 5ss5c.

According to malware researcher/analyst Bart Blaze, the actor has been working on this new product since at least November 2019. It is thought to be a work in progress because of the presence of a second spreader module within the code, named poc.exe. “This suggest they may be experimenting (poc often is an acronym for proof of concept),” comments Blaze.

There are several clues within 5ss5c linking the ransomware to Satan. Satan had been regularly developed and updated with new functionalities and techniques — but this process stopped around the summer of 2019. The appearance of 5ss5c in November is likely to be related.

Similarities with Satan include the launch process via a downloader, the use of EternalBlue for spreading, several Satan artefacts, and tactics, techniques and procedures (TTPs) that align with both Satan and DBGer (and slightly overlap with Iron). An example of the latter is the use of multiple packers to protect the droppers and payloads.

New, however, is the use of Enigma VirtualBox to pack the additional poc.exe spreader. The file is dropped to C:ProgramDatapoc.exe, and runs the command:

cd /D C:ProgramData&star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload C:ProgramDatadown64.dll –TargetIp 

This is remarkably similar to a Satan command:

cmd /c cd /D C:UsersAlluse~1&blue.exe –TargetIp & star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload down64.dll –TargetIp

Like Satan, 5ss5c has an exclusion list of files it does not encrypt. This is slightly expanded. For example, while Satan and DBGer both excluded some Qih00 360-related files, this has been expanded with the addition of 360download and 360safe files. The list of files that will be encrypted is, however, different to that of the earlier ransomwares.

The ransomware generates a ransom note in Chinese. It demands 1 bitcoin for decryption and threatens that the demand will double after 48 hours.There is, however, no indication of where the payment should be sent. Instead, the actor’s email address (5ss5c(at) is prepended to the file name of each encrypted file.

It may be that the lack of specificity in the payment instructions is by design (at least at this stage of the ransomware’s development). Satan was available as ransomware-as-a-service, and it is possible that the new 5ss5c is taking the same route.

Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal 

Related: New Unlock26 Ransomware and RaaS Portal Discovered 

Related: GandCrab Ransomware Authors Announce Shut Down 

Related: Encryptor RaaS Shuts Down Without Releasing Master Key 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.