{"id":12558,"date":"2016-07-11T09:16:49","date_gmt":"2016-07-11T13:16:49","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=12558"},"modified":"2021-03-17T09:55:54","modified_gmt":"2021-03-17T13:55:54","slug":"satana-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/satana-ransomware\/12558\/","title":{"rendered":"Satana: Ransomware from hell"},"content":{"rendered":"<p>This year, news of ransomware attacks have been coming in like dispatches from a battlefield \u2014 nonstop. Every day, researchers find new strains of ransomware and discover new and unconventional ways criminals use it to steal money directly from consumers and businesses. And as soon as security experts make some progress, the crooks come up with new ransomware approaches and techniques.<\/p>\n<p>Recently, another sophisticated sample of a ransomware was discovered. The malware is dubbed Satana (\u201cSatan\u201d), which might imply Russian-speaking origins. The Trojan does two things: It encrypts files and corrupts Windows\u2019 Master Boot Record (MBR), thus blocking the Windows boot process.<\/p>\n<p>We have already discussed Trojans that mess with the MBR \u2014 the notorious <a href=\"https:\/\/www.kaspersky.com\/blog\/petya-ransomware\/11715\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Petya ransomware<\/a> is one such malware. In some ways, Satana behaves similarly, for example injecting its own code into the MBR. However, whereas Petya encrypts the Master File Table (MFT), Satana encrypts the MBR. To encrypt PC files, Petya relied on the help of a tagalong Trojan called <a href=\"https:\/\/www.kaspersky.com\/blog\/mischa-ransomware\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Mischa<\/a>; Satana manages both tasks on its own.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Petya?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Petya<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ransomware<\/a> eats your hard drives \u2013 <a href=\"https:\/\/t.co\/BSqbmRBmGf\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/BSqbmRBmGf<\/a> <a href=\"https:\/\/t.co\/WpvijrPlSP\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/WpvijrPlSP<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/715232633316384772?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 30, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>For those who aren\u2019t familiar with the inner workings of computers, we\u2019ll try to shed some more light. The MBR is a part of the hard drive. It contains information on the file system used by different disk partitions, as well as which partition the operating system is stored on.<\/p>\n<p>If the MBR becomes corrupted \u2014 or gets encrypted \u2014 the computer loses access to a critical piece of information: which partition contains the operating system. If the computer can\u2019t find the operating system, it can\u2019t boot. The malefactors behind ransomware like Satana took advantage of this arrangement and enhanced their cryptolocker with bootlocker capabilities. The hackers swap out the MBR, replacing it with the code of the ransom note, and encrypt and move the MBR somewhere else.<\/p>\n<p>The ransomware demands about 0.5 bitcoins (approximately $340) to decrypt the MBR and provide the key to decrypt the affected files. Once the ransom is paid, Satana\u2019s creators say, they will restore access to the operating system and make things look just as they did before. At least, that\u2019s what they say.<\/p>\n<p>Once it\u2019s inside the system, Satana scans all drives and network instances, looking for .bak, .doc, .jpg, .jpe, .txt, .tex, .dbf, .db, .xls, .cry, .xml, .vsd, .pdf, .csv, .bmp, .tif, .1cd, .tax, .gif, .gbr, .png, .mdb, .mdf, .sdf, .dwg, .dxf, .dgn, .stl, .gho, .v2i, .3ds, .ma, .ppt, .acc, .vpd, .odt, .ods, .rar, .zip, .7z, .cpp, .pas, and .asm files, and starts encrypting them. It also adds an e-mail address and three underscore symbols to the beginning of the file name (for example, test.jpg would become Sarah_G@ausi.com___test.jpg).<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/07\/06021857\/satan_mbr_en.png\"><img decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/07\/06021857\/satan_mbr_en.png\" alt=\"Satana: Ransomware from hell\" width=\"720\" height=\"400\" class=\"aligncenter size-full wp-image-12560\"><\/a><\/p>\n<p>The e-mail addresses are meant to serve as contact information for the victims, who are supposed to write to the address to get payment instructions and then retrieve the decryption key. So far, researches have seen six e-mail addresses used in this campaign.<\/p>\n<p>The good news is that it is possible to partially bypass the lock: With certain skills, the MBR can be fixed. Experts at The Windows Club blog produced detailed <a href=\"http:\/\/www.thewindowsclub.com\/repair-master-boot-record-mbr-windows\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">instructions<\/a> on how to fix the MBR by using the OS restore feature in Windows. However, that feature is designed for experienced users who are comfortable working with the command prompt and the bootrec.exe utility; an ordinary user is not likely to nail this cumbersome method straight away and may not feel comfortable trying.<\/p>\n<p>The bad news is that even with Windows successfully unlocked, the other half of the problem, encrypted files, remains. No cure is available for that part yet.<\/p>\n<p>At this point, Satana seems to have just started its ransomware career: It\u2019s not widespread, and researchers have spotted some flaws in its code. However, there is a good chance that it will improve over time and evolve into a very serious threat.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">10 tips to protect your files from ransomware <a href=\"https:\/\/t.co\/o0IpUU9CHb\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/o0IpUU9CHb<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/iteducation?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#iteducation<\/a> <a href=\"https:\/\/t.co\/I47sPIiWFF\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/I47sPIiWFF<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/671348678607642624?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 30, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Our primary advice to users for now is to practice constant vigilance. Our simple recommendations will help to lower your risk of infection and keep you away from trouble as much as possible: <\/p>\n<p><strong>1. Back up your data regularly<\/strong><br>\nThis is your insurance policy. In the case of a successful ransomware attack, you can just reinstall the operating system and retrieve files from the backup copies.<\/p>\n<p><strong>2. Don\u2019t visit suspicious websites and don\u2019t open suspicious e-mail attachments<\/strong>, even if you got the link or e-mail from a person you know. Be very cautious: Little is known about Satana\u2019s propagation techniques.<\/p>\n<p><strong>3. Make sure to use a reliable antivirus solution. <\/strong><a href=\"https:\/\/www.kaspersky.com\/internet-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kismd___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Internet Security<\/a> detects Satana as Trojan-Ransom.Win32.Satan and prevents it from encrypting files or locking the system.<\/p>\n<p><strong>4. And, of course, follow our news!<\/strong><br>\nWe\u2019ll always try to tell you about the newest threats as soon as possible, so malware doesn\u2019t catch you unawares.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kis-trial-ransomware\">\n","protected":false},"excerpt":{"rendered":"<p>New ransomware called Satana encrypts your files and blocks the operating system from booting.<\/p>\n","protected":false},"author":2194,"featured_media":12559,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2683],"tags":[1680,420,1701,422,723],"class_list":{"0":"post-12558","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-cryptors","10":"tag-ransomware","11":"tag-satana","12":"tag-threats","13":"tag-trojans"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/satana-ransomware\/12558\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/satana-ransomware\/7389\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/satana-ransomware\/7413\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/satana-ransomware\/7362\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/satana-ransomware\/8652\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/satana-ransomware\/8602\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/satana-ransomware\/12442\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/satana-ransomware\/2260\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/satana-ransomware\/5808\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/satana-ransomware\/6406\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/satana-ransomware\/5097\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/satana-ransomware\/8155\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/satana-ransomware\/11998\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/satana-ransomware\/12442\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/satana-ransomware\/12558\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/satana-ransomware\/12558\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/ransomware\/","name":"Ransomware"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2194"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=12558"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12558\/revisions"}],"predecessor-version":[{"id":39050,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12558\/revisions\/39050"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/12559"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=12558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=12558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=12558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}