Connect with us

Hi, what are you looking for?


Malware & Threats

New 5ss5c Ransomware Likely Readied to Replace Satan

The threat actor or group behind the Satan ransomware — and probably DBGer and Lucky and possibly Iron — seems to be engaged in a new version or evolution of Satan: 5ss5c.

The threat actor or group behind the Satan ransomware — and probably DBGer and Lucky and possibly Iron — seems to be engaged in a new version or evolution of Satan: 5ss5c.

According to malware researcher/analyst Bart Blaze, the actor has been working on this new product since at least November 2019. It is thought to be a work in progress because of the presence of a second spreader module within the code, named poc.exe. “This suggest they may be experimenting (poc often is an acronym for proof of concept),” comments Blaze.

There are several clues within 5ss5c linking the ransomware to Satan. Satan had been regularly developed and updated with new functionalities and techniques — but this process stopped around the summer of 2019. The appearance of 5ss5c in November is likely to be related.

Similarities with Satan include the launch process via a downloader, the use of EternalBlue for spreading, several Satan artefacts, and tactics, techniques and procedures (TTPs) that align with both Satan and DBGer (and slightly overlap with Iron). An example of the latter is the use of multiple packers to protect the droppers and payloads.

New, however, is the use of Enigma VirtualBox to pack the additional poc.exe spreader. The file is dropped to C:ProgramDatapoc.exe, and runs the command:

cd /D C:ProgramData&star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload C:ProgramDatadown64.dll –TargetIp 

This is remarkably similar to a Satan command:

cmd /c cd /D C:UsersAlluse~1&blue.exe –TargetIp & star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload down64.dll –TargetIp

Advertisement. Scroll to continue reading.

Like Satan, 5ss5c has an exclusion list of files it does not encrypt. This is slightly expanded. For example, while Satan and DBGer both excluded some Qih00 360-related files, this has been expanded with the addition of 360download and 360safe files. The list of files that will be encrypted is, however, different to that of the earlier ransomwares.

The ransomware generates a ransom note in Chinese. It demands 1 bitcoin for decryption and threatens that the demand will double after 48 hours.There is, however, no indication of where the payment should be sent. Instead, the actor’s email address (5ss5c(at) is prepended to the file name of each encrypted file.

It may be that the lack of specificity in the payment instructions is by design (at least at this stage of the ransomware’s development). Satan was available as ransomware-as-a-service, and it is possible that the new 5ss5c is taking the same route.

Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal 

Related: New Unlock26 Ransomware and RaaS Portal Discovered 

Related: GandCrab Ransomware Authors Announce Shut Down 

Related: Encryptor RaaS Shuts Down Without Releasing Master Key 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.