{"id":12626,"date":"2018-06-20T03:20:12","date_gmt":"2018-06-20T11:20:12","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/06\/20\/news-6394\/"},"modified":"2018-06-20T03:20:12","modified_gmt":"2018-06-20T11:20:12","slug":"news-6394","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/06\/20\/news-6394\/","title":{"rendered":"Satan ransomware raises its head again!"},"content":{"rendered":"

Credit to Author: Shriram Munde| Date: Wed, 20 Jun 2018 11:08:35 +0000<\/strong><\/p>\n

Estimated reading time: 3 minutesSatan ransomware first occurred in early 2017. And it has resurfaced with a new variant in 2018. We have seen it using new, innovative techniques to spread such as EternalBlue exploit to distribute over compromised networks.   This variant of Satan propagates using the below techniques: Mimikatz EternalBlue – exploit CVE-2017-0143   Technical Analysis 1. The mother file is packed with the MPRESS packer (as shown in the snippet in fig 1) which after execution drops many public version EternalBlue files on the victim\u2019s machine. Fig 1. The file is packed with Mpress packer 2. These files are dropped at \u2018C:UsersAll Users\u2019 location. These files are also packed with the MPRESS packer. 3. Mother file scans for all the systems which are in the same network using EternalBlue to find outdated SMB services and encrypts files on the host systems to maximize profit from attack. Fig 2. Dropped EternalBlue files     This version of Satan also drops mmkt.exe (Mimikatz) which is an open-source tool that permits the attacker to dig out credential information from the Windows lsass (Local Security Authority Subsystem Service). Using Mimikatz, it then stores credential of network computers and then it accesses and infects machines on the same network using these credentials. It had dropped satan.exe on the victim\u2019s machine at C drive and executed it, which is responsible for encryption. Fig 3. Drop location for satan.exe from mother file. For storing unique host identifier, it drops a file with name \u201cKSession\u201d at \u201cC:WindowsTemp\u201d Satan renames an encrypted file in following way: E.g.: Example.jpg to [dbger@protonmail.com] Example.jpg.dbger Following are the infection marker files and encrypted files with their pattern. Fig 4. Encrypted files pattern. The ransom note of this ransomware looks like this (fig 5) Fig 5. Ransom note After encrypting all the data on the victim\u2019s machine, it kills Satan.exe from memory but the mother file keeps running for sending data to a Command and Control server as seen from the following snippet. Fig6. Connection to CNC server.   How Quick Heal protects its users from the Satan ransomware : – Quick Heal works on multiple levels to protect its users from this threat. These levels include: Virus Protection Behavior-based Detection Anti-Ransomware \u00a0Fig 7. Behavior Detection \u00a0Fig 8. Anti-Ransomware Detection \u00a0 How to stay safe from ransomware attacks Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data. Never install any freeware or cracked versions of any software. Do not open any advertisement pages shown on websites without knowing that they are genuine. Disable macros while using MS Office. Always install and update your anti-virus to protect your system from unknown threats.   Indicators of compromise: MD5: 6E44ABB2B449DD0BCADF8B0316590D0E Subject matter experts Priyanka Dhasade, Shalaka Patil | Quick Heal Security Labs       The post Satan ransomware raises its head again! appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.
http:\/\/blogs.quickheal.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Shriram Munde| Date: Wed, 20 Jun 2018 11:08:35 +0000<\/strong><\/p>\n

Satan ransomware first occurred in early 2017. And it has resurfaced with a new variant in 2018. We have seen it using new, innovative techniques to spread such as EternalBlue exploit to distribute over compromised networks.   This variant of Satan propagates using the below techniques: Mimikatz EternalBlue – exploit…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10459,10378],"tags":[666],"class_list":["post-12626","post","type-post","status-publish","format-standard","hentry","category-quickheal","category-security","tag-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12626","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=12626"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12626\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=12626"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=12626"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=12626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}