Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/21/2019
07:00 PM
50%
50%

Satan Ransomware Adds More Evil Tricks

The latest changes to the Satan ransomware framework demonstrate attackers are changing their operations while targeting victims more carefully.

The operators and developers behind a 2-year-old ransomware framework, dubbed Satan, continue to expand the codebase, adding exploits for the Spring Web application framework, the ElasticSearch search engine, and ThinkPHP Web application framework popular in China, according to research from Fortinet. 

The refinements demonstrate a trend in ransomware: The malware is becoming more sophisticated and operations against victims more targeted, according to the company. In its quarterly threat report, Fortinet points to multiple debilitating attacks on manufacturers, chemical companies, and engineering firms, stating that attackers are moving from "indiscriminate ransomware attacks to more targeted and potentially more lucrative campaigns."

"We are seeing more methodical techniques," says Anthony Giandomenico, a senior security researcher at Fortinet. "Some of the adversaries that are using ransomware — they are getting better at quickly incorporating new vulnerabilities that have recently been successfully exploited."

The incorporation of three new exploits into the Satan ransomware framework highlights the continuing improvement in capabilities incorporated into the malicious software by operators and developers. Satan, which is the malware component of a ransomware-as-a-service offering on the Dark Web of the same name, had already included exploits for a variety of Web technologies, such as JBoss, Apache Struts, Web Logic, Tomcat, and the infamous EternalBlue exploit for Windows SMB services.

While the addition of three new exploits does not appreciably increase the threat level of the malware, it does show that the developers are actively improving the code and the service, Fortinet's Giandomenico says.

"The ransomware-as-a-service is successful in that it is taking advantage of those vulnerabilities that have been exploited much faster," he says.

Ransomware attacks garner a great deal of attention. The malware payload, which typically encrypts valuable data until a victims pays the ransom, impacts both the operations of victims and causes obvious symptoms of an attack, such as displaying ransom notes on monitors. In the past five years, significant attacks have shown the danger of malware that makes data essentially unusable.

The 2014 attack on Sony Pictures had a wiper component that erased systems and forced the company to take weeks to clean its information-technology environment and recover business data. In 2017, two worms — WannaCry and NotPetya — spread through companies' IT systems, disrupting operations for manufacturing giants such as pharmaceutical maker Merck, auto maker Nissan, and shipping conglomerate AB Maersk. Most recently, ransomware disrupted government systems and services in the city of Baltimore.

In January 2017, Satan made headlines as the first known ransomware-as-a-service offering — but not the first crimeware-as-a-service product — on the Dark Web. Subscribers can create tailored ransomware attacks, and the operators of the Satan service take a portion of any ransom paid. 

The malware created by Satan also can spread on its own. Once Satan compromises a system, the malware attempts to execute its list of exploits against each IP addresses on the local network. 

The attack can also be used against publicly accesible servers. The malware will reach out to one of the command-and-control (C2) servers, retrieve a Class C subnet to attacks, and then enumerate every IP address on that network and attempt to spread.

While WannaCry and NotPetya raised fears that mass ransomware infections could hobble businesses and governments, attackers have seemingly gone in the opposite direction. By targeting specific companies, or at least manually taking over attacks against those companies, the ransomware operators can do the most damage and levy higher fees for recovery, Giandomenico says.

Ransomware is also becoming more of a capability of malware and a potential tool to use during attacks, he says.

"I would put money on the fact that we will see more targeted attacks that are using ransomware," Giandomenico says. "It will be multistaged. They may do other things on the network first, and when they are finished, they will slap some ransomware in there to cover their tracks" or convert the compromise to cash.

With Satan, the attackers look ready to continue to target more applications with vulnerabilities. The current version of the malware platform scans for applications such as Drupal, Adobe, and XML-RPC, but does not yet have the exploits to compromise the applications. Instead, it reports their existence to the C2 servers.

"Most likely, its purpose is to gather statistics of application usage that can be targeted in future attacks," Fortinet's analysis stated. "The malware authors can easily update their spreader to implement an exploit against one of these applications if they observe that enough of clients that are using it."

Related Content

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
5/22/2019 | 2:38:42 AM
Hail Satan! (or DBGer?)
In 2018 some started calling Satan "DBGer", and we learned it was using EternalBlue and Mimikatz to propogate to machines on the same network; exploiting Remote Code Execution (RCE) vulnerabilities, using network credentials acquired by Mimikatz. It had newly incorporated a version of the EternalBlue SMB exploit, which WannaCry, NotPetya and UIWIX also used.  It was being called DBGer because after the satan.exe dropped into the infected computer, started the encryption process on the disk, and completed the encryption process, it renamed the encrypted files with a new extension ".dbger" - I bring this up only because in the latest Satan news, I don't see this variant mentioned "top-level" - you're lucky to find it at the first three levels of reporting.  It's surely out there still and that detail is one that could help the casual observer with less experience spot details in their server filesystem that could flag a potential intrusion.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-5285
PUBLISHED: 2019-11-15
Null pointer dereference vulnerability exists in K11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime in NSS before 3.26, which causes the TLS/SSL server using NSS to crash.
CVE-2009-5047
PUBLISHED: 2019-11-15
Jetty 6.x before 6.1.22 suffers from an escape sequence injection vulnerability from two different vectors: 1) "Cookie Dump Servlet" and 2) Http Content-Length header. 1) A POST request to the form at "/test/cookie/" with the "Age" parameter set to a string throws a &qu...
CVE-2013-4584
PUBLISHED: 2019-11-15
Perdition before 2.2 may have weak security when handling outbound connections, caused by an error in the STARTTLS IMAP and POP server. ssl_outgoing_ciphers not being applied to STARTTLS connections
CVE-2013-7087
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has WWPack corrupt heap memory
CVE-2013-7088
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has buffer overflow in the libclamav component