Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

07:00 PM

Satan Ransomware Adds More Evil Tricks

The latest changes to the Satan ransomware framework demonstrate attackers are changing their operations while targeting victims more carefully.

The operators and developers behind a 2-year-old ransomware framework, dubbed Satan, continue to expand the codebase, adding exploits for the Spring Web application framework, the ElasticSearch search engine, and ThinkPHP Web application framework popular in China, according to research from Fortinet. 

The refinements demonstrate a trend in ransomware: The malware is becoming more sophisticated and operations against victims more targeted, according to the company. In its quarterly threat report, Fortinet points to multiple debilitating attacks on manufacturers, chemical companies, and engineering firms, stating that attackers are moving from "indiscriminate ransomware attacks to more targeted and potentially more lucrative campaigns."

"We are seeing more methodical techniques," says Anthony Giandomenico, a senior security researcher at Fortinet. "Some of the adversaries that are using ransomware — they are getting better at quickly incorporating new vulnerabilities that have recently been successfully exploited."

The incorporation of three new exploits into the Satan ransomware framework highlights the continuing improvement in capabilities incorporated into the malicious software by operators and developers. Satan, which is the malware component of a ransomware-as-a-service offering on the Dark Web of the same name, had already included exploits for a variety of Web technologies, such as JBoss, Apache Struts, Web Logic, Tomcat, and the infamous EternalBlue exploit for Windows SMB services.

While the addition of three new exploits does not appreciably increase the threat level of the malware, it does show that the developers are actively improving the code and the service, Fortinet's Giandomenico says.

"The ransomware-as-a-service is successful in that it is taking advantage of those vulnerabilities that have been exploited much faster," he says.

Ransomware attacks garner a great deal of attention. The malware payload, which typically encrypts valuable data until a victims pays the ransom, impacts both the operations of victims and causes obvious symptoms of an attack, such as displaying ransom notes on monitors. In the past five years, significant attacks have shown the danger of malware that makes data essentially unusable.

The 2014 attack on Sony Pictures had a wiper component that erased systems and forced the company to take weeks to clean its information-technology environment and recover business data. In 2017, two worms — WannaCry and NotPetya — spread through companies' IT systems, disrupting operations for manufacturing giants such as pharmaceutical maker Merck, auto maker Nissan, and shipping conglomerate AB Maersk. Most recently, ransomware disrupted government systems and services in the city of Baltimore.

In January 2017, Satan made headlines as the first known ransomware-as-a-service offering — but not the first crimeware-as-a-service product — on the Dark Web. Subscribers can create tailored ransomware attacks, and the operators of the Satan service take a portion of any ransom paid. 

The malware created by Satan also can spread on its own. Once Satan compromises a system, the malware attempts to execute its list of exploits against each IP addresses on the local network. 

The attack can also be used against publicly accesible servers. The malware will reach out to one of the command-and-control (C2) servers, retrieve a Class C subnet to attacks, and then enumerate every IP address on that network and attempt to spread.

While WannaCry and NotPetya raised fears that mass ransomware infections could hobble businesses and governments, attackers have seemingly gone in the opposite direction. By targeting specific companies, or at least manually taking over attacks against those companies, the ransomware operators can do the most damage and levy higher fees for recovery, Giandomenico says.

Ransomware is also becoming more of a capability of malware and a potential tool to use during attacks, he says.

"I would put money on the fact that we will see more targeted attacks that are using ransomware," Giandomenico says. "It will be multistaged. They may do other things on the network first, and when they are finished, they will slap some ransomware in there to cover their tracks" or convert the compromise to cash.

With Satan, the attackers look ready to continue to target more applications with vulnerabilities. The current version of the malware platform scans for applications such as Drupal, Adobe, and XML-RPC, but does not yet have the exploits to compromise the applications. Instead, it reports their existence to the C2 servers.

"Most likely, its purpose is to gather statistics of application usage that can be targeted in future attacks," Fortinet's analysis stated. "The malware authors can easily update their spreader to implement an exploit against one of these applications if they observe that enough of clients that are using it."

Related Content




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/22/2019 | 2:38:42 AM
Hail Satan! (or DBGer?)
In 2018 some started calling Satan "DBGer", and we learned it was using EternalBlue and Mimikatz to propogate to machines on the same network; exploiting Remote Code Execution (RCE) vulnerabilities, using network credentials acquired by Mimikatz. It had newly incorporated a version of the EternalBlue SMB exploit, which WannaCry, NotPetya and UIWIX also used.  It was being called DBGer because after the satan.exe dropped into the infected computer, started the encryption process on the disk, and completed the encryption process, it renamed the encrypted files with a new extension ".dbger" - I bring this up only because in the latest Satan news, I don't see this variant mentioned "top-level" - you're lucky to find it at the first three levels of reporting.  It's surely out there still and that detail is one that could help the casual observer with less experience spot details in their server filesystem that could flag a potential intrusion.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.