Severity
High
Analysis Summary
Satan ransomware first appeared in early 2017, and since then threat actors have been constantly improving the malware to infect its victims more effectively and to maximize its profits.
Satan ransomware uses several methods to propagate across both public and private networks. It implements multi-threading to increase the efficiency of the attacks. When propagating across private networks, a sweep is performed to identify all hosts on the victim network. For public networks, the C2 server defines the IPs that should be scanned by the spreader. Once targets are identified, exploit attempts begin by leveraging SSH brute force attacks and numerous web exploits. In the case of the Windows spreader, the EternalBlue exploit and Mimikatz are also used. After attempts are completed, the spreader notifies the C2 server of all executed exploits. The most recent variants of both the Windows and Linux spreaders added exploit payloads for Spring Data, ElasticSearch, and ThinkPHP vulnerabilities.
Impact
File encryption
Indicators of Compromise
IP(s) / Hostname(s)
- 111[.]90[.]159[.]103
- 111[.]90[.]159[.]104
- 111[.]90[.]159[.]105
- 111[.]90[.]159[.]106
URLs
- http[:]//111[.]90[.]159[.]106/d/conn32
- http[:]//111[.]90[.]159[.]106/d/cry32
Malware Hash (MD5/SHA1/SH256)
- 54a1d78c1734fa791c4ca2f8c62a4f0677cb764ed8b21e198e0934888a735ef8
- 02e1a05fdfdf4f8685d92ba09d698b8be66ae6d020dc402ff2119501dda9597c
- 51f2e919a7ecfb3b096ddcb71373e86e81883b4b59848d2f6f677f9e317a8468
Remediation
- Block the threat indicators at their respective controls.
- Never click on the links/ attachments sent by unknown senders.
- Always verify about the emails sent by unverified/ unknown senders.