I've been holding this for a couple of days for a couple of reasons. First, I want to be sure this really is going somewhere (it is), and, second, I wanted a bit more than the easy-to-get screen shots that have been appearing in other blogs (got it). So, we'll start with some background.
Some of this you can get at other blogs but I think this will provide some insight for you. Finally, before we hit the bricks running, this ransomware is on the street. I have found at least four samples plus the two I created and at least one actor is talking in the underground about how he is just waiting for his victim to pay (on the 0day forum from 23 January to 1 February):
Actor-1: Did you use it already is there any feed back about it?
Actor-2: yes there is. feedback is good. i saw few feedbacks on exploit
Actor-3: looks promising, am gonna try it. thanks for information Actor-10
Actor-4: anyone got infections -> payment with Satan yet?
Actor-5: Any successful payments from Satan ransomware?
Actor-6: I'm waiting for victim to pay :/
Actor-10 in the exchange above is the marketer for the ransomware and he claims that he is not the author. He has been selling in at least three forums on the Dark Web. The program hit the streets around the 17 January with the following announcement from Actor 10:
"Satan is a free to use ransomware kit, you only need to register on the site to start making your viruses. Satan only requires a user name and password to create an account, although, if you wish, you can set a public key for two-factor authentication. Satan has a initial fee of 30 percent over the victim's payment, however, this fee will get lower as you get more infections and payments. All of the user transactions are covered by the server, you'll always get what the victim paid, minus the fee of course.
When creating your malware you can specify the ransom value (in bitcoins), a multiplier for the ransom after X days have passed, the number of days after the multiplier takes place, a private note so you can keep track of your victims.
- Satan is free. You just have to register on the site.
- Satan is very easy to deploy, you can create your ransomware in less than a minute.
- Satan uses TOR and Bitcoin for anonymity.
- Satan's executable is only 170kb.
If english is not your first language or you speak a second language you can translate the ransom notes to help your victims understand better what is happening.
In case you're looking for a way to spread the ransomware, there is a droppers page, where you can generate a crude code for a Microsoft Word macro and CHM file.
If you have any problem with the ransomware, you can report it using the leftmost button on the malwares table. The middle blue button is used to update the malware to a newer version, if available, and the green one is used to edit your malware configuration."
The ransomware is written mostly in C++ and the author has asked that you not upload to virus scanners such as VirusTotal. Of course we - and several other researchers, apparently - have and here are our results. There is a caveat, though. If an actor creates a copy of the ransomware - more on that shortly - that ransomware will have very limited anti-malware recognition until a sample gets into the wild and the A-M vendors get it into their systems. I ran a sample that I created through VirusTotal and OPSWAT Metadefender.
V-T did not pick it up at all. Metadefender showed nine products that appeared to recognise it but of those four were false positives based upon the compile dates, four thought that it was Zbot and only two recognised it as Satan ransomware. The point is that this can be quite difficult to spot by your anti-malware software. However, most AV vendors are writing generic detection for it. The only one I found that hit on my sample instantly, even though it was less than an hour old, was Cylance.
I am not going through all of the screens - other bloggers have done that - but here, in Figure 1, is the landing (after you log in) - and malware creation - screen. All you need to do is set up an account, give it your bitcoin wallet and build ransomware.
Figure 1 - Satan RaaS Landing Page
Now, on to some details. First, I took a sample that I obtained from one of the on-line malware scanners that shared samples. I put it in Maltego and looked for associations. I found some as you can see in Figure 2. Then I added my new sample and ran the tool again. Again, as you can see in Figure 2 it was not detected by anything reported anywhere on the Web ( my sample is at the top of the figure marked Satan-RaaS -- 2-1-17).
Figure 2 - Maltego Scan of the Web Showing Samples Discovered by AV Scan Engines and Entries in Underground Forums
The OPSWAT Metadefender scans show clearly the impact of a copy of the malware being in the wild for a while. Figure 3 shows a version that is a few - very few - days old and Figure 4 shows my sample less than an hour old.
Figure 3 - Metadefender scan of a Sample of Satan a Few Days Old
Figure 4 - Metadefender Scan of My Sample of Satan Less than an Hour Old
When I ran my sample in VirusTotal I got nothing - see Figure 5.
Figure 5 - VirusTotal Scan of My Sample
However, when I ran an early sample hash - first seen on 18 January, just a day after it hit the street - I got a good hit from our instance of Recorded Future - see Figure 6.
Figure 6 - Recorded Future Intel Card for the First Sample to Appear on the Web
Besides using a cryptor, Satan has some obfuscation capabilities such as an anti-reversing engine that checks for known debuggers - such as OLLYDBG, Immunity Debugger, Zeta Debugger and others. It uses the Microsoft Enhanced Cryptographic Provider and that means AES and RSA strong encryption.
I am not going into a deep code analysis here because in my roaming around the Web looking for work already done in this area I came across a very interesting tool from Switzerland called JoeSandbox Cloud. You can learn more at https://www.joesecurity.org but there is a very nice and complete analysis from Joe's automated sandbox at https://www.joesecurity.org/reports/report-406a8a6a3bafee2fa00af938cfb27353.html. Joe has both a commercial version and a community (free) version of its cloud product.
While Joe has a lot of down-and-dirty detail about the reversing - the most complete I've seen so far - there also is a radar display of the malware classification showing the ransomware's broad functionality for the sample of Satan they analysed. The hash of the sample was 406a8a6a3bafee2fa00af938cfb27353 and it also was analysed in VirusTotal on 23 January. Here is Joe's classification display:
Figure 7 - Classification display of Satan Sample 406a8a6a3bafee2fa00af938cfb27353 From Joe Security
The bottom line is that this is a very nasty piece of malware. If you look carefully at the Joe analysis you'll see that it shares some code/characteristics with Locky (which does not make it, as one maven opined, just another Locky), one of the more prolific and unpleasant ransomwares around.
The AV companies will get Satan under control eventually - except for Cylance, which already has - but in the meantime the old ransomware advice stands. You just need to do three things to protect yourself: backup, backup and backup some more. Remember Stephenson's First Axiom: There are only two kinds of computer users (or administrators) - those who backup and those who wish they had.
The tools I used this week were:
- Intel 471
- Payload Security
- IDA Pro
- Recorded Future
- Niksun NetDetector
- AlienVault and OTX
Our friends at Cylance have done a really nice deep analysis of the ransomware and you can catch it here.Now, here are your numbers for this week.
Figure 8 - Top 10 Command and Control IPs Hitting the Packetsled Sensor on our Honeynet
Figure 9 - Top 10 IPs Hitting the Packetsled Sensor on our Honeynet
Figure 10 - This Week's New Malicious Domains from MDL
Figure11 - Top Attack Types as Seen by our Niksun NetDetector against our Honeynet
Figure 12 - STIX Analysis of the 5 Most Malicious IP Addresses from our RecordedFuture Live Cyber Feed
Figure 13 - Top Event Categories Against our Honeynet from our AlienVault USM