Satan Ransomware Came Back Looking for SMB Vulerabilities
Recently, an evolved Satan ransomware, which is spread through a Server Message Block (SMB) vulnerability, was discovered.
[Figure 1] Satan Ransomware Process Flowchart
If you look at the Ransomware process flow chart in Figure 1, the first downloader, sts.exe, downloads ms.exe and client.exe from the server at address 198.55.107.149. Both downloaded files are Self extracting File Archive (SFX Archive) file and is executed when opened with a password.
Of the downloaded files, ms.exe scans the C class band. If a SMB vulnerability is detected during scanning, Satan ransomware will use it to propagate the malicious code. On the destination IP system where the SMB vulnerability is found, you can see that the sts.exe file is downloaded and executed as shown in Figure 2.
[Figure 2] Download and run of sts.exe on PCs with SMB vulnerabilities
The executed sts.exe downloads Client.exe and Client.exe creates Cryptor.exe as the top-level path (C: \) on drive C and executes it. Cryptor.exe, executed in the top-level path (C: \) on drive C, encrypts the infected file on the system as shown in Figure 3 and changes the infected file's extension to .satan.
[Figure 3] List of encrypted files after infection
The ransom note of recently discovered Satan ransomware is shown in Figure 4. It is written in three languages; English, Chinese and Korean just like the previous version of Satan Ransomware.
[Figure 4] Ransom notes of Satan Ransomware
Satan ransomware, discovered this time, uses SMB vulnerabilities and has a huge impact like Wannacryptor(a.k.a Wannacry).
The aliases identified by AhnLab's anti-malware solution AhnLab V3 are as below:
- Trojan/Win32.Tiggre
