Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/21/2019
07:00 PM
50%
50%

Satan Ransomware Adds More Evil Tricks

The latest changes to the Satan ransomware framework demonstrate attackers are changing their operations while targeting victims more carefully.

The operators and developers behind a 2-year-old ransomware framework, dubbed Satan, continue to expand the codebase, adding exploits for the Spring Web application framework, the ElasticSearch search engine, and ThinkPHP Web application framework popular in China, according to research from Fortinet. 

The refinements demonstrate a trend in ransomware: The malware is becoming more sophisticated and operations against victims more targeted, according to the company. In its quarterly threat report, Fortinet points to multiple debilitating attacks on manufacturers, chemical companies, and engineering firms, stating that attackers are moving from "indiscriminate ransomware attacks to more targeted and potentially more lucrative campaigns."

"We are seeing more methodical techniques," says Anthony Giandomenico, a senior security researcher at Fortinet. "Some of the adversaries that are using ransomware — they are getting better at quickly incorporating new vulnerabilities that have recently been successfully exploited."

The incorporation of three new exploits into the Satan ransomware framework highlights the continuing improvement in capabilities incorporated into the malicious software by operators and developers. Satan, which is the malware component of a ransomware-as-a-service offering on the Dark Web of the same name, had already included exploits for a variety of Web technologies, such as JBoss, Apache Struts, Web Logic, Tomcat, and the infamous EternalBlue exploit for Windows SMB services.

While the addition of three new exploits does not appreciably increase the threat level of the malware, it does show that the developers are actively improving the code and the service, Fortinet's Giandomenico says.

"The ransomware-as-a-service is successful in that it is taking advantage of those vulnerabilities that have been exploited much faster," he says.

Ransomware attacks garner a great deal of attention. The malware payload, which typically encrypts valuable data until a victims pays the ransom, impacts both the operations of victims and causes obvious symptoms of an attack, such as displaying ransom notes on monitors. In the past five years, significant attacks have shown the danger of malware that makes data essentially unusable.

The 2014 attack on Sony Pictures had a wiper component that erased systems and forced the company to take weeks to clean its information-technology environment and recover business data. In 2017, two worms — WannaCry and NotPetya — spread through companies' IT systems, disrupting operations for manufacturing giants such as pharmaceutical maker Merck, auto maker Nissan, and shipping conglomerate AB Maersk. Most recently, ransomware disrupted government systems and services in the city of Baltimore.

In January 2017, Satan made headlines as the first known ransomware-as-a-service offering — but not the first crimeware-as-a-service product — on the Dark Web. Subscribers can create tailored ransomware attacks, and the operators of the Satan service take a portion of any ransom paid. 

The malware created by Satan also can spread on its own. Once Satan compromises a system, the malware attempts to execute its list of exploits against each IP addresses on the local network. 

The attack can also be used against publicly accesible servers. The malware will reach out to one of the command-and-control (C2) servers, retrieve a Class C subnet to attacks, and then enumerate every IP address on that network and attempt to spread.

While WannaCry and NotPetya raised fears that mass ransomware infections could hobble businesses and governments, attackers have seemingly gone in the opposite direction. By targeting specific companies, or at least manually taking over attacks against those companies, the ransomware operators can do the most damage and levy higher fees for recovery, Giandomenico says.

Ransomware is also becoming more of a capability of malware and a potential tool to use during attacks, he says.

"I would put money on the fact that we will see more targeted attacks that are using ransomware," Giandomenico says. "It will be multistaged. They may do other things on the network first, and when they are finished, they will slap some ransomware in there to cover their tracks" or convert the compromise to cash.

With Satan, the attackers look ready to continue to target more applications with vulnerabilities. The current version of the malware platform scans for applications such as Drupal, Adobe, and XML-RPC, but does not yet have the exploits to compromise the applications. Instead, it reports their existence to the C2 servers.

"Most likely, its purpose is to gather statistics of application usage that can be targeted in future attacks," Fortinet's analysis stated. "The malware authors can easily update their spreader to implement an exploit against one of these applications if they observe that enough of clients that are using it."

Related Content

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
5/22/2019 | 2:38:42 AM
Hail Satan! (or DBGer?)
In 2018 some started calling Satan "DBGer", and we learned it was using EternalBlue and Mimikatz to propogate to machines on the same network; exploiting Remote Code Execution (RCE) vulnerabilities, using network credentials acquired by Mimikatz. It had newly incorporated a version of the EternalBlue SMB exploit, which WannaCry, NotPetya and UIWIX also used.  It was being called DBGer because after the satan.exe dropped into the infected computer, started the encryption process on the disk, and completed the encryption process, it renamed the encrypted files with a new extension ".dbger" - I bring this up only because in the latest Satan news, I don't see this variant mentioned "top-level" - you're lucky to find it at the first three levels of reporting.  It's surely out there still and that detail is one that could help the casual observer with less experience spot details in their server filesystem that could flag a potential intrusion.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...
CVE-2020-26243
PUBLISHED: 2020-11-25
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded...
CVE-2020-25650
PUBLISHED: 2020-11-25
A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service fo...
CVE-2020-29071
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...