Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Satana Ransomware Encrypts MBR and User Files

Satana, a new ransomware family that emerged in the past week, has copied some of its functionality from Petya and Mischa, two connected crypto-lockers observed over the past several months.

Satana, a new ransomware family that emerged in the past week, has copied some of its functionality from Petya and Mischa, two connected crypto-lockers observed over the past several months.

What makes Satana stand out, beside its devilish name (Satana means devil in Italian and Romanian), is the fact that it comes with two modes, one to rewrite the infected computer’s Master Boot Record (MBR) to take over it, and the other to encrypt user files. Apparently, the new malware family uses both modes at the same time, which allows it to completely undermine its victim’s computer.

The Petya ransomware emerged in March, when it made a name for itself because it was able to encrypt entire drives. The malware was performing a two-step encryption, rewriting the computer’s MBR to take over the reboot process and to ensure persistence on the infected machine, and encrypting the entire hard drive during the second stage, after reboot.

Petya was being distributed mainly within enterprise environments, via emails sent to the organization’s human resources department. In May, Petya received an update and started dropping a second ransomware onto the infected machines in the event that it didn’t manage to successfully perform the second step of the encryption process. Dubbed Mischa, this ransomware would use AES-encryption to lock user files, and would also target .exe files, something that most ransomware out there doesn’t.

Unlike the Petya/Mischa bundle, the Satana ransomware both rewrites the MBR and encrypts user’s files one by one, Malwarebytes Labs researchers explain. After execution, the new malware disappears from the infected computer, though it installs a copy of itself in the %TEMP% folder, under a random name.

When first executed, the malware triggers a User Account Control (UAC) notification that appears in a loop until the user allows it to make changes to the computer, then it writes its malicious code to the beginning of the disk and saves contact data for a particular client in the Windows Registry. According to researchers, the ransomware announces everything that it does, including the progress in encrypting files, and includes debug code in it, suggesting that it might be in the early stages of development.

Unlike Petya, which triggers a BSOD prompt to determine users reboot their machines, Satana patiently waits for the reboot. However, as soon as the system boots up, it displays a screen with the ransom note. During the first step of the attack, in low-level mode, only the MBR is encrypted (and stored in Sector 6), but not beyond repair: a backup can be used to recover the original MBR, it seems.

The ransomware encrypts users’ files (on local disks and unmapped network shares) one by one, drops a ransom note in each folder, and deletes shadow backups to hinder data recovery attempts. All of the encrypted files are renamed with an email address taken out of a hardcoded pool and the original name. Malwarebytes Labs also explains that all files are encrypted with the same unique key using an encryption algorithm that is either a block cipher or custom XOR based.

According to researchers, the analyzed sample includes a hard-coded command and control (C&C) address and sends information about the client to it, along with the randomly generated key used in the encryption process. The issue with Satana is that it doesn’t store the key locally, although it can perform the encryption process while offline, meaning that the key is permanently lost if communication to the C&C server is lost during encryption.

Malwarebytes Labs researchers explain that the sample they analyzed might have not been intended for public use, both because of issues with the code and because the Bitcoin wallet in the ransom note doesn’t work. Moreover, they say that the malware’s low-level attack code looks unfinished, but that its authors appear to be focusing on it, and that future malware variants might bring improvements.

Related: CryptXXX Ransomware Gang Made $50,000 in Weeks

Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal< /span>

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.