Petya clone Satana is the new Russian-linked 'ransomware from hell', says Kaspersky Lab
The ransomware not only encrypts files but also blocks Windows booting processes.
A new strain of ransomware, dubbed Satana (Italian for Satan), has been described by researchers as the "ransomware from hell". Security experts claim that the malware's name indicates that it may have "Russian-speaking origins".
Kaspersky Lab senior malware analyst Fedor Sinitsyn told IBTimes UK: "Satana carries ransom notes in two languages: Russian and English. What's more, the Russian text is clearly written by a fluent speaker, while the English one is broken and looks like a word-for-word translation. I believe it's safe to assume the authors are from ex-USSR."
According to Kaspersky Lab, Satana is capable of not only encrypting files but also blocking Windows PC booting processes. Researchers have identified six email addresses used in the campaign that "serve as contact information for the victims, who are supposed to write to the address to get payment instructions and then retrieve the decryption key".
Hackers behind the ransomware are demanding around 0.5 bitcoins (£258, $340) to provide the decryption key for both the MBR and encrypted files. "The Trojan does two things: It encrypts files and corrupts Windows' Master Boot Record (MBR), thus blocking the Windows boot process," Kaspersky Lab said.
Highlighting the similarities between Satana and Petya, Kaspersky Lab researchers pointed out that both "mess with MBR", with Satana, inserting its own unique code to corrupt the MBR. However, while Petya depended on a "tagalong Trojan" called Mischa to encrypt user files, Satana is capable of independently encrypting files as well as blocking MBR processes. This indicates that Satana may have been designed to outperform Petya, ensuring that the most damage be inflicted on affected victims.
Sinitsyn also confirmed that Satana has a "completely different code" from Petya and "different ideas behind it". He added: "Satana is not improved in any way in comparison to Petya."
What is MBR?
The MBR is a core part of a computer's hard drive which contains information on the various file systems used by the different disk partitions. It also hosts information about which particular disk partition stores the operating system. "If the MBR becomes corrupted — or gets encrypted — the computer loses access to a critical piece of information: which partition contains the operating system. If the computer can't find the operating system, it can't boot," Kaspersky Lab explains.
Upon infecting the system, the authors of the ransomware then go about swapping the MBR with the code of the ransomware note, shifting the MBR elsewhere and encrypting the data stored.
All is not lost
Experts are yet to find a solution to regain access to files that have been encrypted by the ransomware and it appears that affected victims still have little choice but to pay up the ransom demanded if they wish to get back the stolen data.
For those affected, there is some hope. Researchers say there is a way to "partially bypass" the MBR lock to gain access to the system. Security experts at the Windows Club blog have released detailed instructions on how victims can fix their MBR using OS restore features in Windows PCs. Sadly, however, the instructions are meant for experienced users with advanced technical skills. "An ordinary user is not likely to nail this cumbersome method straight away and may not feel comfortable trying," Kaspersky Lab said.
Additionally, experts are yet to find a solution to regain access to files that have been encrypted by the ransomware. It appears that affected victims still have little choice but to pay up the ransom demanded if they wish to get back the data stolen.
Researchers claim that Satana is still at the starting point of its ransomware career. "It's not widespread, and researchers have spotted some flaws in its code. However, there is a good chance that it will improve over time and evolve into a very serious threat," Kaspersky Lab predicted.
First spotted by independent researcher Hasherezad in a blog for Malwarebytes as a "malware-in-development", Satana now appears to have caught the eye of security researchers who are now using the ransomware as a cautionary tale to inform users about hackers constantly evolving their cyberattack techniques.
It is still uncertain as to how many have already been affected by the Satana ransomware. "Judging by the samples we have, this malware is still under development, so I doubt it will be widely distributed before all the necessary code gets implemented," said Sinitsyn.
IBTimes UK has also reached out to Hasherezad for further clarification on the reach and effects of the Satana ransomware and is awaiting a response.
© Copyright IBTimes 2024. All rights reserved.