The threat actor or group behind the Satan ransomware — and probably DBGer and Lucky and possibly Iron — seems to be engaged in a new version or evolution of Satan: 5ss5c.
According to malware researcher/analyst Bart Blaze, the actor has been working on this new product since at least November 2019. It is thought to be a work in progress because of the presence of a second spreader module within the code, named poc.exe. “This suggest they may be experimenting (poc often is an acronym for proof of concept),” comments Blaze.
There are several clues within 5ss5c linking the ransomware to Satan. Satan had been regularly developed and updated with new functionalities and techniques — but this process stopped around the summer of 2019. The appearance of 5ss5c in November is likely to be related.
Similarities with Satan include the launch process via a downloader, the use of EternalBlue for spreading, several Satan artefacts, and tactics, techniques and procedures (TTPs) that align with both Satan and DBGer (and slightly overlap with Iron). An example of the latter is the use of multiple packers to protect the droppers and payloads.
New, however, is the use of Enigma VirtualBox to pack the additional poc.exe spreader. The file is dropped to C:ProgramDatapoc.exe, and runs the command:
cd /D C:ProgramData&star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload C:ProgramDatadown64.dll –TargetIp
This is remarkably similar to a Satan command:
cmd /c cd /D C:UsersAlluse~1&blue.exe –TargetIp & star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload down64.dll –TargetIp
Like Satan, 5ss5c has an exclusion list of files it does not encrypt. This is slightly expanded. For example, while Satan and DBGer both excluded some Qih00 360-related files, this has been expanded with the addition of 360download and 360safe files. The list of files that will be encrypted is, however, different to that of the earlier ransomwares.
The ransomware generates a ransom note in Chinese. It demands 1 bitcoin for decryption and threatens that the demand will double after 48 hours.There is, however, no indication of where the payment should be sent. Instead, the actor’s email address (5ss5c(at)mail.ru) is prepended to the file name of each encrypted file.
It may be that the lack of specificity in the payment instructions is by design (at least at this stage of the ransomware’s development). Satan was available as ransomware-as-a-service, and it is possible that the new 5ss5c is taking the same route.