{"id":990,"date":"2016-07-12T13:27:56","date_gmt":"2016-07-12T11:27:56","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=990"},"modified":"2022-06-27T09:17:06","modified_gmt":"2022-06-27T07:17:06","slug":"ransom-ware-satana-greetings-from-hell","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2016\/07\/12\/ransom-ware-satana-greetings-from-hell\/","title":{"rendered":"Ransom ware: #Satana, greetings from hell &#8230;"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"http:\/\/www.borncity.com\/blog\/2016\/07\/12\/satana-die-ransomware-aus-der-hlle\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]A new day, a new ransom ware for computer users. Kaspersky has found a ransom ware called Satana, which is a Russian name for \"Satan\". The nice gift from hell encrypts your document files and also swaps the Master Boot Record (MBR) to block Windows from booting. <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/6c803777583c451da0dad8822a2dc243\" width=\"1\" height=\"1\">Security researcher from Kaspersky mentions Satana as \"another sophisticated sample of a ransom ware\" in her blog post <a href=\"https:\/\/blog.kaspersky.com\/satana-ransomware\/12558\/\" target=\"_blank\" rel=\"noopener\">Satana: Ransomware from hell<\/a>. The Trojan does two things: <\/p>\n<ul>\n<li>It encrypts files\n<li>and corrupts the Master Boot Record (MBR)<\/li>\n<\/ul>\n<p>The latter blocks the Windows boot process. This is also know from Petya, coming along with Mischa. But Satana has both tasks incorporated. After infecting a system, Satana scans all drives and network drives. Accessible files with extensions .bak, .doc, .jpg, .jpe, .txt, .tex, .dbf, .db, .xls, .cry, .xml, .vsd, .pdf, .csv, .bmp, .tif, .1cd, .tax, .gif, .gbr, .png, .mdb, .mdf, .sdf, .dwg, .dxf, .dgn, .stl, .gho, .v2i, .3ds, .ma, .ppt, .acc, .vpd, .odt, .ods, .rar, .zip, .7z, .cpp, .pas, and .asm will be encrypted. Satana adds an e-mail address and three underscores to the file name (the file <em>Sarah_G@ausi.com___test.jpg<\/em> is the encrypted version of original file <em>test.jpg<\/em>).<\/p>\n<p>(Source: Kaspersky)<\/p>\n<p>The e-mail address serves as contact information for the victims, who are supposed to write to the address to get payment instructions and then retrieve the decryption key. Six distinct e-mail addresses has been identified to be used in this campaign. The ransom ware demands 0.5 bitcoins (approximately $340) to decrypt the MBR and provide the key to decrypt the affected files. But it's unclear, if that works. <\/p>\n<p>To fix the MBR, it's possible to boot with a Windows PE environment and use the command sequence:<\/p>\n<p>bootrec \/fixMbr<br \/>bootrec \/fixboot<br \/>bootrec \/RebuildBcd<br \/>Exit<\/p>\n<p>as documented in a Windows Club <a href=\"https:\/\/web.archive.org\/web\/20210323151302\/https:\/\/www.thewindowsclub.com\/repair-master-boot-record-mbr-windows\" target=\"_blank\" rel=\"noopener\">blog post<\/a> (or in my German blog post <a href=\"http:\/\/www.borncity.com\/blog\/2016\/06\/17\/windows-10-upgrade-liefert-fehler-0xd0000225\/\">Windows 10-Upgrade liefert Fehler 0xD0000225<\/a>). Unfortunately, after the machine is able to boot Windows again, there is no known solution yet to unencrypt the document files. The only solution is to restore a backup (that hopefully exists). The Satana ransom ware is currently rare, bit it could be changing in future. Distribution is supposed via e-mail attachments and exploit kits. <\/p>\n<p><strong>Similar articles<br \/><\/strong><a href=\"https:\/\/borncity.com\/win\/2016\/06\/29\/security-flaw-in-symantecs-av-products-sets-you-at-risk\/\">Security flaw in Symantec's AV products sets you at risk<\/a><strong><br \/><\/strong><a href=\"https:\/\/borncity.com\/win\/2016\/07\/07\/android-security-bulletin-july-2016\/\">Android Security Bulletin July 2016<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2016\/06\/26\/new-lenovo-solution-center-v-3-3-003-fixes-2-security-holes\/\">New Lenovo Solution Center V 3.3.003 fixes 2 security holes<\/a><br \/><a href=\"https:\/\/web.archive.org\/web\/20200919020513\/https:\/\/borncity.com\/win\/2016\/06\/26\/sophos-home-a-free-commercial-grade-security-for-the-home\/\">Sophos Home: A free commercial-grade security for the home<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A new day, a new ransom ware for computer users. Kaspersky has found a ransom ware called Satana, which is a Russian name for \"Satan\". The nice gift from hell encrypts your document files and also swaps the Master Boot &hellip; <a href=\"https:\/\/borncity.com\/win\/2016\/07\/12\/ransom-ware-satana-greetings-from-hell\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[284,282,283,69,194],"class_list":["post-990","post","type-post","status-publish","format-standard","hentry","category-windows","tag-kaspersky","tag-ransom-ware","tag-satana","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/990","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=990"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/990\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=990"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=990"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=990"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}