{"id":11527,"date":"2018-02-19T09:20:02","date_gmt":"2018-02-19T17:20:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/19\/news-5298\/"},"modified":"2018-02-19T09:20:02","modified_gmt":"2018-02-19T17:20:02","slug":"news-5298","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/02\/19\/news-5298\/","title":{"rendered":"New Saturn Ransomware offers ransomware-as-a-service"},"content":{"rendered":"<p><strong>Credit to Author: Shriram Munde| Date: Mon, 19 Feb 2018 17:05:19 +0000<\/strong><\/p>\n<p>Quick Heal Security Labs has come across a new ransomware called \u2018Saturn\u2019 currently doing the rounds which upon encryption appends \u201c. Saturn\u201d extension to the encrypted files. \u00a0Behaviour of Saturn Ransomware Upon arrival on the host machine, Saturn ransomware checks whether it is a virtual environment or has any debuggers. If these checks are satisfied, it will not execute. It also checks whether the current system user is an administrator or not. \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Fig 1. Snippet showing anti-debugger check. After successful execution, Saturn fires the below command to disable Windows repair and backup option using Vssadmin.exe. Vssadmin.exe is used to create and manage shadow volume copies on the drive. &#8220;C:WindowsSystem32cmd.exe&#8221; \/C vssadmin.exe delete shadows \/all \/quiet &amp; wmic.exe shadowcopy delete &amp; bcdedit \/set {default} bootstatuspolicy ignoreallfailures &amp; bcdedit \/set {default} recoveryenabled no &amp; wbadmin delete catalog\u201d \u201cC:Windowssystem32vssadmin.exe, vssadmin.exe delete shadows \/all \/quiet \u201c After executing the above commands, Saturn starts its encryption activity. Our analysis says that ransomware basically encrypts Non-PE files and below are the extensions which it successfully encrypted while generating the scenario. \u2018txt,pptx, ppt, csv, docm,wpd, wps, text, dif, xls, doc, xlsx, xlsm, docx, rtf, xml,pdf, cdr, 1cd, sqlite, wav, mp3,mid, mpa, obj, max, 3dm, 3ds, dbf, accdb, sql, pdb, mdb, wsf, apk, com, gadget, torrent, jpg, jpeg, tiff, tif, png, bmp, mp4, mov, gif, avi, wmv,ico, zip, rar, tar, backup, bak, json, php, cpp, asm, bat, vbs, class, java, jar, asp, lib,crt,pl, pem, vmx, vmdk, vdi, vbox,dat,cfg, config\u2019. Saturn drops infection marker files and encrypted files has the following pattern. \u00a0 Fig.2 From the dropped infection marker files,\u2019.html,.txt and.BMP\u2019 have the ransom note whereas \u2018.vbs\u2019 has the voice notification alert. Saturn drops the following ransom notes \u00a0 \u00a0Fig 3 \u00a0 \u00a0 \u00a0 \u00a0 Fig 4 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Fig 5 In order to pay the ransom, the user needs to visit the website \u201chttp:\/\/su34pwhpcafeiztt.onion\u201d using a Tor network where it asks for a decryption key and a captcha. \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Fig 6 When you log in, it displays the below page which contains the ransom to be paid and the time remaining to pay the ransom. If the ransom is not paid, after a week, the user must pay twice the previous ransom amount. \u00a0 \u00a0 \u00a0 \u00a0 Fig 7 Ransomware-as-a-Service Saturn usually spreads through spam emails and malicious advertisements. Recently, it has started its own propagation technique named \u201cRaaS: Ransomware- as-a-service\u201d. In this technique, it lets users create a new Saturn ransomware stub. This stub can be embedded into PE or non-PE files. The propagator of this new ransomware will get 70% of the ransom money and the remaining 30% will be rewarded to the creator. How Quick Heal protects its users from the Saturn ransomware Apart from the static detection, Quick Heal\u2019s Behaviour Detection and Anti-Ransomware successfully eliminate this threat. fig 8\u00a0 Anti Ransomware\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0fig 9\u00a0Behaviour Detection &nbsp; How to stay away from ransomware Use a multi-layered antivirus in your system which will protect you from real-time threats. Keep your antivirus up-to-date. Update your Operating System regularly as critical patches are released almost every day. Keep your software up-to-date. Older and outdated versions of software have vulnerabilities which are almost always exploited by attackers to infect a system with ransomware and other malware. Never directly connect remote systems to the Internet. Always use a VPN (Virtual Remote Network) to access a network remotely. Do not click on links or download attachments in emails received from unexpected or unknown sources. Take regular data backup and keep it in a secure location. &nbsp; Subject Matter Experts Shalaka Patil, Priyanka Dhasade, Shashikala Halagond , Shriram Munde| Quick Heal Security Labs &nbsp; &nbsp; The post New Saturn Ransomware offers ransomware-as-a-service appeared first on Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice.<br \/><a href=\"http:\/\/blogs.quickheal.com\/new-saturn-ransomware-offers-ransomware-service\/\" target=\"bwo\" >http:\/\/blogs.quickheal.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Shriram Munde| Date: Mon, 19 Feb 2018 17:05:19 +0000<\/strong><\/p>\n<p>Quick Heal Security Labs has come across a new ransomware called \u2018Saturn\u2019 currently doing the rounds which upon encryption appends \u201c. Saturn\u201d extension to the encrypted files. \u00a0Behaviour of Saturn Ransomware Upon arrival on the host machine, Saturn ransomware checks whether it is a virtual environment or has any debuggers&#8230;.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10459,10378],"tags":[666],"class_list":["post-11527","post","type-post","status-publish","format-standard","hentry","category-quickheal","category-security","tag-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11527","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11527"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11527\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}