An Inside Look at a Ransom Note


Satana Demands Payout and Warns Against Recovery Attempts

WarningWith ransomware attacks making headlines nearly every day in 2016, it seems that IT security professionals and the cybercriminals that try to outsmart them are in a constant battle for lead position—and lately, it seems that the cybercriminals are winning.

Recently, yet another strain of ransomware was discovered in its early sample form. Satana, (“Satan” in Italian) is a Trojan that encrypts files and corrupts the Windows’ Master Boot Record (MBR), which halts the Windows boot process and injects its own code into the MBR. Unlike sister-malware Petya which relies on help from tagalong Trojan Mischa, Satana doesn’t mess around with the Master File Table (MFT), it goes straight for the jugular—and manages to conduct both processes of injecting code and encrypting PC files all by itself. So, Satana seems to be an evolved version of Petya in that it doesn’t need anyone’s help—except for the human on the other end of the reboot function—in order to infect and encrypt a user’s computer.

Once Satana has successfully installed itself on its victim’s computer, it will launch its ransom note, which reads, in part:

“You had bad luck. There was crypting of all your files in a FS bootkit virus<!SATANA!> To decrypt you need to send on this E-mail: orjo[email protected] your private code: C98F4DEC6A….”

…and so on. Eventually, the ransom note gets to the point where it instructs victims to pay a bitcoin equivalent to $340. The note, which blasts itself in bright red text against a sinister black background, ends with a call to action that tells users where to enter their decryption code to regain access to their files. The malware signs off with, “Good luck! May God help you! <!SATANA!>”

Kaspersky Lab has dubbed the Russian-linked Satana the “ransomware from hell.” According to Kaspersky Lab, researchers have identified six email addresses that serve as contact information for Satana’s victims, who must request payment and other instructions in order to receive the decryption key to unlock their files.

In order to fulfill the ransom and unlock encrypted files, the cybercriminals behind Satana demand that victims pay around 0.5 bitcoins, or approximately $340.

For the advanced and technically apt victims of Satana, there may be a light at the end of the tunnel. Experts have revealed that there is a way to at least partly bypass the MBR to gain access to the infected operating system and restore it—but be forewarned, this solution is only meant for experienced victims with very advanced technical skills.

Problematically, while you may be able to restore your OS, researchers have yet to figure out a solution that will give Satana victims access to their encrypted files. It seems that, at least for now, victims have only one option in order to decrypt their stolen files—and that is to pay up.

The good news, for the time being, is that Satana is currently in its infancy stages; it is not widespread, and researchers have uncovered errors and weaknesses in its code. On the flip side, it appears that Satana is positioned to evolve over time, and with its comprehensive method of attack, it has the potential to become the next major threat in the ransomware world.

To stay vigilant against ransomware threats, remember to always:

  1. Backup your data on a regular basis.
  2. Don’t open suspicious email attachments.
  3. Use trustworthy anti-virus software and keep it updated.
  4. Consult a professional if you need to bolster your security or you suspect you’ve been compromised.

{company} your local IT security solutions provider, keeping your business’ IT assets safe from ransomware, hackers, and other cybersecurity threats. For the most advanced IT security solutions in business, contact us at {phone} or send us an email at {email} for more information.

Related Blogs

  • " alt="">
    CloudHesive, an Amazon Web Services (AWS) Premier Partner, acquires Eplexity

    CloudHesive and Eplexity are joining forces with additional investment from Strattam Capital FORT LAUDERDALE, Fla. (PRWEB) May 22, 2023 — CloudHesive, an Amazon Web Services (AWS) Premier...

    Learn More
  • A circle with two balls rolling on a track and heading through a loop representing a continuously running AWS ecosystem." alt="">
    How to Migrate Workloads into the AWS Ecosystem

    Modernize your workloads with the Amazon Web Service (AWS) cloud. Increase your applications’ availability, reliability, and scalability while providing customers with more value. AWS enables...

    Learn More
  • A person pointing to a circular diagram with the word skills in the center and lines radiating from the center with IT-related symbols." alt="">
    The Importance of AWS Certification Consent

    AWS certifications propel business and individual success, but only if they are visible. Key takeaways: AWS-certified professionals with superior cloud skills are in high demand AWS certifications...

    Learn More