The security researcher Xylitol discovered that the Satan ransomware has become available through Ransomware-as-a-Service (RaaS).
The RaaS gives all users the opportunity to make an account and create a customized version of Satan themselves. Once the wannabe crooks have created their own ransomware version they have to decide how they are doing to distribute it and infect users.
The RaaS is responsible for handling the ransom payment and adding new features. Moreover, the RaaS author takes 30% of all payments made by the victims but they also promise to reduce this cut depending on the number of payments the affiliate receives.
The first thing a user sees when going to the Satan RaaS site is the homepage which provides information what the service actually is and how it can be lucrative. Then, the user has to register and account and log in in order to see an affiliate console of several pages – Malwares, Droppers, Translate, Account, Notice, and Messages. These pages will come in handy when the newbie criminal starts spreading the ransomware.
The first page is the Malwares one and it allows the affiliate to configure several settings of their own Satan version. For example, the exact ransom sum and with how much it increases if the victim hasn’t paid after a certain deadline, and the deadline itself.
The Droppers page helps the criminal distribute their ransomware. The page proves core which the affiliate can use for creating CHM installers or malicious Microsoft Word macros. This way, the ransomware can be spread via spam messages, for instance.
With the Translate page, the criminal can use different languages for Satan ransom notes depending on the targets` location. The Account page provides information about the number of people infected as well as the amount of money paid. Finally, the Notices page displays messages from the RaaS author, and the Messages one is used for “customer service” requests.
Once the Satan Ransomware is installed on a computer it first checks to see if it is running on a virtual machine. If it is, it terminates itself immediately. If not, it injects itself into TaskHost.exe and starts the encryption process. For the moment Satan`s encryption algorithm remains unknown but it is able to target a wide range of file extensions.
When Satan locks a file it completely changes its originals name and appends the “.stn” extension at the end. For instance, a file named “summer.jpg”, after being encrypted may look like “fgeah.stn”. While encrypting victims` files, Satan also drops its ransom note – HELP_DECRYPT_FILES.html it every folder containing locked data.
When the encryption process is over, Satan will execute the C:\Windows\System32\cipher.exe” /W:C command to wipe all data from the unused space on the C: Drive. Then, the ransom note is displayed on the victim`s screen. It contains the victim`s unique ID and a URL to a TOR payment site. By clicking on the URL the users get redirected to the Satan`s payment site where they are given more payment instructions. Unluckily, at least for now, a free decryptor is not available.
