It is currently 15-12-2017 13:15

Detected new threat, the extortionist Satana

Detected new threat, the extortionist Satana

by sigismund » 2016-07-05 10:55:17


cryptographer Satana replaces the MBR and encrypts the files on infected system.


Malwarebytes has published in his blog a study of a new sample of ransomware that inherits the functionality of Petya and Mischa. The malware Satana has about the same capabilities – able to encrypt data and replaces the MBR (Master Boot Record), and also operates in two modes.

In the first mode, the application tries to change the MBR to use your own bootloader. In the second mode, the malware behaves like a normal cipher. In contrast to previously known cords Petya and Mischa, extortionist Satana uses both modes together, i.e. replaces the MBR and encrypts the files on the disk.

Once on the system, the Trojan encrypts files with the following extensions on local and network drives:

.bak .doc .jpg .jpe .txt .tex .dbf .db .xls
.cry .xml .vsd .pdf . csv .bmp .tif .1cd .tax
.gif .gbr .png .mdb .mdf .sdf .dwg .dxf .dgn
.stl .gho .v2i .3ds .ma .ppt .acc .vpd .odt
.ods .rar .zip .7z .cpp .pas .asm

Then the Trojan connects to the C&C server at the address 185.127.86.186 and transmits data about a new customer, as well as the encryption key. Researchers are unable to detect the storage location of the encryption key on an infected system. Presumably, the encryption key is stored only on the C&C server. Thus, if the C&C server is disabled or unavailable, even after payment of ransom, the user will not be able to decrypt the files.

In the sample analyzed by the experts, was given an incorrect number for a bitcoin wallet. The researchers do not exclude that in their hands was a pre-release version of the Trojan.
sigismund
moderators
Сообщений: 788
Депозит: 0 BTC

Rating: 5