Security Experts:

Satana Ransomware Encrypts MBR and User Files

Satana, a new ransomware family that emerged in the past week, has copied some of its functionality from Petya and Mischa, two connected crypto-lockers observed over the past several months.

What makes Satana stand out, beside its devilish name (Satana means devil in Italian and Romanian), is the fact that it comes with two modes, one to rewrite the infected computer’s Master Boot Record (MBR) to take over it, and the other to encrypt user files. Apparently, the new malware family uses both modes at the same time, which allows it to completely undermine its victim’s computer.

The Petya ransomware emerged in March, when it made a name for itself because it was able to encrypt entire drives. The malware was performing a two-step encryption, rewriting the computer’s MBR to take over the reboot process and to ensure persistence on the infected machine, and encrypting the entire hard drive during the second stage, after reboot.

Petya was being distributed mainly within enterprise environments, via emails sent to the organization’s human resources department. In May, Petya received an update and started dropping a second ransomware onto the infected machines in the event that it didn’t manage to successfully perform the second step of the encryption process. Dubbed Mischa, this ransomware would use AES-encryption to lock user files, and would also target .exe files, something that most ransomware out there doesn’t.

Unlike the Petya/Mischa bundle, the Satana ransomware both rewrites the MBR and encrypts user’s files one by one, Malwarebytes Labs researchers explain. After execution, the new malware disappears from the infected computer, though it installs a copy of itself in the %TEMP% folder, under a random name.

When first executed, the malware triggers a User Account Control (UAC) notification that appears in a loop until the user allows it to make changes to the computer, then it writes its malicious code to the beginning of the disk and saves contact data for a particular client in the Windows Registry. According to researchers, the ransomware announces everything that it does, including the progress in encrypting files, and includes debug code in it, suggesting that it might be in the early stages of development.

Unlike Petya, which triggers a BSOD prompt to determine users reboot their machines, Satana patiently waits for the reboot. However, as soon as the system boots up, it displays a screen with the ransom note. During the first step of the attack, in low-level mode, only the MBR is encrypted (and stored in Sector 6), but not beyond repair: a backup can be used to recover the original MBR, it seems.

The ransomware encrypts users’ files (on local disks and unmapped network shares) one by one, drops a ransom note in each folder, and deletes shadow backups to hinder data recovery attempts. All of the encrypted files are renamed with an email address taken out of a hardcoded pool and the original name. Malwarebytes Labs also explains that all files are encrypted with the same unique key using an encryption algorithm that is either a block cipher or custom XOR based.

According to researchers, the analyzed sample includes a hard-coded command and control (C&C) address and sends information about the client to it, along with the randomly generated key used in the encryption process. The issue with Satana is that it doesn’t store the key locally, although it can perform the encryption process while offline, meaning that the key is permanently lost if communication to the C&C server is lost during encryption.

Malwarebytes Labs researchers explain that the sample they analyzed might have not been intended for public use, both because of issues with the code and because the Bitcoin wallet in the ransom note doesn’t work. Moreover, they say that the malware’s low-level attack code looks unfinished, but that its authors appear to be focusing on it, and that future malware variants might bring improvements.

Related: CryptXXX Ransomware Gang Made $50,000 in Weeks

Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

view counter