An Inside Look at a Ransom Note


Jul 22, 2016

Satana Demands Payout and Warns Against Recovery Attempts

WarningWith ransomware attacks making headlines nearly every day in 2016, it seems that IT security professionals and the cybercriminals that try to outsmart them are in a constant battle for lead position—and lately, it seems that the cybercriminals are winning.

Recently, yet another strain of ransomware was discovered in its early sample form. Satana, (“Satan” in Italian) is a Trojan that encrypts files and corrupts the Windows’ Master Boot Record (MBR), which halts the Windows boot process and injects its own code into the MBR. Unlike sister-malware Petya which relies on help from tagalong Trojan Mischa, Satana doesn’t mess around with the Master File Table (MFT), it goes straight for the jugular—and manages to conduct both processes of injecting code and encrypting PC files all by itself. So, Satana seems to be an evolved version of Petya in that it doesn’t need anyone’s help—except for the human on the other end of the reboot function—in order to infect and encrypt a user’s computer.

Once Satana has successfully installed itself on its victim’s computer, it will launch its ransom note, which reads, in part:

“You had bad luck. There was crypting of all your files in a FS bootkit virus<!SATANA!> To decrypt you need to send on this E-mail: your private code: C98F4DEC6A….”

…and so on. Eventually, the ransom note gets to the point where it instructs victims to pay a bitcoin equivalent to $340. The note, which blasts itself in bright red text against a sinister black background, ends with a call to action that tells users where to enter their decryption code to regain access to their files. The malware signs off with, “Good luck! May God help you! <!SATANA!>”

Kaspersky Lab has dubbed the Russian-linked Satana the “ransomware from hell.” According to Kaspersky Lab, researchers have identified six email addresses that serve as contact information for Satana’s victims, who must request payment and other instructions in order to receive the decryption key to unlock their files.

In order to fulfill the ransom and unlock encrypted files, the cybercriminals behind Satana demand that victims pay around 0.5 bitcoins, or approximately $340.

For the advanced and technically apt victims of Satana, there may be a light at the end of the tunnel. Experts have revealed that there is a way to at least partly bypass the MBR to gain access to the infected operating system and restore it—but be forewarned, this solution is only meant for experienced victims with very advanced technical skills.

Problematically, while you may be able to restore your OS, researchers have yet to figure out a solution that will give Satana victims access to their encrypted files. It seems that, at least for now, victims have only one option in order to decrypt their stolen files—and that is to pay up.

The good news, for the time being, is that Satana is currently in its infancy stages; it is not widespread, and researchers have uncovered errors and weaknesses in its code. On the flip side, it appears that Satana is positioned to evolve over time, and with its comprehensive method of attack, it has the potential to become the next major threat in the ransomware world.

To stay vigilant against ransomware threats, remember to always:

  1. Backup your data on a regular basis.
  2. Don’t open suspicious email attachments.
  3. Use trustworthy anti-virus software and keep it updated.
  4. Consult a professional if you need to bolster your security or you suspect you’ve been compromised.

{company} your local IT security solutions provider, keeping your business’ IT assets safe from ransomware, hackers, and other cybersecurity threats. For the most advanced IT security solutions in business, contact us at {phone} or send us an email at {email} for more information.

Related Blogs

  • A woman working as a contact center agent and using a desktop computer with access to Amazon Connect and Amazon Connect Tasks" alt="">
    Automate, Track, and Manage Tasks for Amazon Connect Contact Center Agents

    Here’s everything you need to know about Amazon Connect Tasks and how it improves agent productivity while enhancing the customer experience Key Takeaways: Contact center agents often track and...

    Learn More
  • The insights offered by Amazon Connect Contact Lens provide unparalleled customer service training opportunities." alt="">
    Run Real-Time Contact Center Analytics on Amazon Connect

    Amazon Connect Contact Lens lets your call center apply machine learning and natural language processing for speech-to-text analysis and real-time insights Key Takeaways: Amazon Connect Contact Lens...

    Learn More
  • A contact center agent using a laptop computer and a notebook to evaluate customer information and provide customer support" alt="">
    Amazon Connect Customer Profiles: What You Need to Know

    Here’s how to use Amazon Connect Customer Profiles to help your contact center agents provide exceptional customer support Key Takeaways: Contact center agents are often required to switch...

    Learn More