Ransomware Recap: Satan Offered as Ransomware as a Service

Ransomware continues to make headway in the threat landscape despite the use of techniques and routines that have become commonplace. Take for instance the fittingly named ransomware that emerged last week: Satan (detected by Trend Micro as RANSOM_NATAS.A). Peddled as a service to fellow cybercriminals, distributors of the ransomware get 70% of the ransom paid by the victim. Satan's service lets affiliates generate a custom executable file to be used in their campaign, which also includes the ransom price. Subscribers of the service can also set the price and time limit.

This ransomware targets 131 file types, and appends them with a .stn extension name. Affected files are encrypted with AES-256 and RSA-2048 encryption algorithms. In one of its ransom notes, Satan demanded a payment of 5 Bitcoin ($1,254 as of March 14, 2017), which doubles if payment is not made before a deadline. Its C&C server and multilingual payment page are located in the Dark Web, where it's also advertised by its operator.

On its advertisement in the Dark Web, Satan is touted as a free ransomware kit. Crooks need only register on the operator’s site. The developer charges 30% in commissions, but this fee will supposedly lower as the distributor gets to infect more victims, and in turn more payments. The operator also has tips and provides resources for the affiliates in order for them to further distribute the malware, including rough codes of malicious Microsoft Word macro and Compiled HTML file (.CHM). The developer also has specific guides on how to deploy and update the ransomware.

Payment page of Satan

Advertisement of Satan in the Dark Web

Ransomware Get Local Flavors

We’ve also noted how ransomware are getting different, regional varieties despite using pedestrian techniques. However, this can be an indication of how ransomware operators are diversifying to victimize more users, and consequently turn in more profit. The previous week had a miscellany of ransomware families targeting specific victims (or regions). Among them is CryptoJacky (detected by Trend Micro as RANSOM_CRYPJACKY.A), which sported a ransom note in Spanish. CryptoJacky is a compilation of modifiable Visual Basic scripts, and encrypts the files of affected systems through an open-source tool, AES Crypt (aesencrypt.exe). Encrypted files are appended with the extension, .aes. Analysis also indicates it possibly came from a ransomware builder. After execution, CryptoJacky unpacks its components in %appdata%\r_tools\. A list of files it targets to encrypt are also in the same directory.

CryptoJacky’s ransom notes

Another is Kaenlupuf, also named KAsi ENkrip LU PUnya File (RANSOM_KAENLUPUF.A), which is Malaysian slang for “Encrypt your file”. Kaenlupuf is capable of deleting the system’s shadow copies (backups of the machine) via the command, vssadmin.exe delete shadows /All /Quiet. Interestingly, it terminates itself if the system is running Windows 10, and has an “expiration date” of March 7, 2017 for its DLL file, and March 10 for the main executable file. It also has certain conditions in order for the ransomware to be executed.

Czech Ransomware’s ransom note

Slovak and Czech-speaking users were also targeted by Czech Ransomware (RANSOM_CZCRYPT.A). Czech Ransomware’s ransom note appears as a pop-up window in the affected machine. In its ransom note, it touts to have encrypted files using AES-256 encryption algorithm, appends an .ENCR extension in the infected file, and demands a ransom paid in Bitcoin. Czech Ransomware targets files located in: Contacts, Desktop, Documents, Downloads, Favorites, Links, Music, Pictures, SavedGames, SavedSearches, and Videos.

The AvastVirusinfo ransomware (Ransom_XORIST.MGW), also known as XORIST, is a malware whose components were compiled using open-source Minimalist GNU for Windows (MinGW). Analysis indicates that this version seems to be employing a multi-component technique. The executable (EXE) file, for instance, will not execute on its own, and would need other components. It also seems to be targeting Russian-speaking users, given the language of the ransom note. It's also one of the most prolific, capable of encrypting 1,796 file types, which are appended with the extension name, .A9v9AhU4.

AvastVirusinfo’s EXE file cannot execute on its own without the other components

Ransomware based on open-source projects like EDA2 and Hidden Tear also emerged last week. This includes Enjey Crypter (RANSOM_HiddenTearEnjey.A) which is based on EDA2’s source code. It is capable of deleting the infected machine’s backup (shadow copies), via the command, - vssadmin delete shadows /all /Quiet. Enjey Crypter encrypts files in all directories except Program Files (x86), $Recycle.Bin, Windows, Boot, and System Volume Information.

Enjey Crypter’s ransom note

Ransomware Solutions:

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimizes the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.