Ransom ware: #Satana, greetings from hell …

[German]A new day, a new ransom ware for computer users. Kaspersky has found a ransom ware called Satana, which is a Russian name for "Satan". The nice gift from hell encrypts your document files and also swaps the Master Boot Record (MBR) to block Windows from booting.


Security researcher from Kaspersky mentions Satana as "another sophisticated sample of a ransom ware" in her blog post Satana: Ransomware from hell. The Trojan does two things:

  • It encrypts files
  • and corrupts the Master Boot Record (MBR)

The latter blocks the Windows boot process. This is also know from Petya, coming along with Mischa. But Satana has both tasks incorporated. After infecting a system, Satana scans all drives and network drives. Accessible files with extensions .bak, .doc, .jpg, .jpe, .txt, .tex, .dbf, .db, .xls, .cry, .xml, .vsd, .pdf, .csv, .bmp, .tif, .1cd, .tax, .gif, .gbr, .png, .mdb, .mdf, .sdf, .dwg, .dxf, .dgn, .stl, .gho, .v2i, .3ds, .ma, .ppt, .acc, .vpd, .odt, .ods, .rar, .zip, .7z, .cpp, .pas, and .asm will be encrypted. Satana adds an e-mail address and three underscores to the file name (the file Sarah_G@ausi.com___test.jpg is the encrypted version of original file test.jpg).

(Source: Kaspersky)

The e-mail address serves as contact information for the victims, who are supposed to write to the address to get payment instructions and then retrieve the decryption key. Six distinct e-mail addresses has been identified to be used in this campaign. The ransom ware demands 0.5 bitcoins (approximately $340) to decrypt the MBR and provide the key to decrypt the affected files. But it's unclear, if that works.

To fix the MBR, it's possible to boot with a Windows PE environment and use the command sequence:


bootrec /fixMbr
bootrec /fixboot
bootrec /RebuildBcd

as documented in a Windows Club blog post (or in my German blog post Windows 10-Upgrade liefert Fehler 0xD0000225). Unfortunately, after the machine is able to boot Windows again, there is no known solution yet to unencrypt the document files. The only solution is to restore a backup (that hopefully exists). The Satana ransom ware is currently rare, bit it could be changing in future. Distribution is supposed via e-mail attachments and exploit kits.

Similar articles
Security flaw in Symantec's AV products sets you at risk
Android Security Bulletin July 2016
New Lenovo Solution Center V 3.3.003 fixes 2 security holes
Sophos Home: A free commercial-grade security for the home

Cookies helps to fund this blog: Cookie settings

This entry was posted in Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *