Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/21/2019
07:00 PM
50%
50%

Satan Ransomware Adds More Evil Tricks

The latest changes to the Satan ransomware framework demonstrate attackers are changing their operations while targeting victims more carefully.

The operators and developers behind a 2-year-old ransomware framework, dubbed Satan, continue to expand the codebase, adding exploits for the Spring Web application framework, the ElasticSearch search engine, and ThinkPHP Web application framework popular in China, according to research from Fortinet. 

The refinements demonstrate a trend in ransomware: The malware is becoming more sophisticated and operations against victims more targeted, according to the company. In its quarterly threat report, Fortinet points to multiple debilitating attacks on manufacturers, chemical companies, and engineering firms, stating that attackers are moving from "indiscriminate ransomware attacks to more targeted and potentially more lucrative campaigns."

"We are seeing more methodical techniques," says Anthony Giandomenico, a senior security researcher at Fortinet. "Some of the adversaries that are using ransomware — they are getting better at quickly incorporating new vulnerabilities that have recently been successfully exploited."

The incorporation of three new exploits into the Satan ransomware framework highlights the continuing improvement in capabilities incorporated into the malicious software by operators and developers. Satan, which is the malware component of a ransomware-as-a-service offering on the Dark Web of the same name, had already included exploits for a variety of Web technologies, such as JBoss, Apache Struts, Web Logic, Tomcat, and the infamous EternalBlue exploit for Windows SMB services.

While the addition of three new exploits does not appreciably increase the threat level of the malware, it does show that the developers are actively improving the code and the service, Fortinet's Giandomenico says.

"The ransomware-as-a-service is successful in that it is taking advantage of those vulnerabilities that have been exploited much faster," he says.

Ransomware attacks garner a great deal of attention. The malware payload, which typically encrypts valuable data until a victims pays the ransom, impacts both the operations of victims and causes obvious symptoms of an attack, such as displaying ransom notes on monitors. In the past five years, significant attacks have shown the danger of malware that makes data essentially unusable.

The 2014 attack on Sony Pictures had a wiper component that erased systems and forced the company to take weeks to clean its information-technology environment and recover business data. In 2017, two worms — WannaCry and NotPetya — spread through companies' IT systems, disrupting operations for manufacturing giants such as pharmaceutical maker Merck, auto maker Nissan, and shipping conglomerate AB Maersk. Most recently, ransomware disrupted government systems and services in the city of Baltimore.

In January 2017, Satan made headlines as the first known ransomware-as-a-service offering — but not the first crimeware-as-a-service product — on the Dark Web. Subscribers can create tailored ransomware attacks, and the operators of the Satan service take a portion of any ransom paid. 

The malware created by Satan also can spread on its own. Once Satan compromises a system, the malware attempts to execute its list of exploits against each IP addresses on the local network. 

The attack can also be used against publicly accesible servers. The malware will reach out to one of the command-and-control (C2) servers, retrieve a Class C subnet to attacks, and then enumerate every IP address on that network and attempt to spread.

While WannaCry and NotPetya raised fears that mass ransomware infections could hobble businesses and governments, attackers have seemingly gone in the opposite direction. By targeting specific companies, or at least manually taking over attacks against those companies, the ransomware operators can do the most damage and levy higher fees for recovery, Giandomenico says.

Ransomware is also becoming more of a capability of malware and a potential tool to use during attacks, he says.

"I would put money on the fact that we will see more targeted attacks that are using ransomware," Giandomenico says. "It will be multistaged. They may do other things on the network first, and when they are finished, they will slap some ransomware in there to cover their tracks" or convert the compromise to cash.

With Satan, the attackers look ready to continue to target more applications with vulnerabilities. The current version of the malware platform scans for applications such as Drupal, Adobe, and XML-RPC, but does not yet have the exploits to compromise the applications. Instead, it reports their existence to the C2 servers.

"Most likely, its purpose is to gather statistics of application usage that can be targeted in future attacks," Fortinet's analysis stated. "The malware authors can easily update their spreader to implement an exploit against one of these applications if they observe that enough of clients that are using it."

Related Content

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
5/22/2019 | 2:38:42 AM
Hail Satan! (or DBGer?)
In 2018 some started calling Satan "DBGer", and we learned it was using EternalBlue and Mimikatz to propogate to machines on the same network; exploiting Remote Code Execution (RCE) vulnerabilities, using network credentials acquired by Mimikatz. It had newly incorporated a version of the EternalBlue SMB exploit, which WannaCry, NotPetya and UIWIX also used.  It was being called DBGer because after the satan.exe dropped into the infected computer, started the encryption process on the disk, and completed the encryption process, it renamed the encrypted files with a new extension ".dbger" - I bring this up only because in the latest Satan news, I don't see this variant mentioned "top-level" - you're lucky to find it at the first three levels of reporting.  It's surely out there still and that detail is one that could help the casual observer with less experience spot details in their server filesystem that could flag a potential intrusion.
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
CVE-2019-10134
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
CVE-2019-10154
PUBLISHED: 2019-06-26
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
CVE-2019-9039
PUBLISHED: 2019-06-26
The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
CVE-2018-20846
PUBLISHED: 2019-06-26
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).