Pay 30 Percent Cut And Create Own Version Of Ransomware Online, Satan Ransomware Offers.

Ransomware, Threat

Satan RaaS

Satan RaaS – a new kind of Ransomware-as-a-Service, or RaaS, allows any cyber criminal to create their own customized version of the Satan Ransomware and ransom demands.

Independent security researcher Xylit0l discovered this week that the Satan malware has been launched to the public as part of a RaaS platform on the Dark Web.

Satan RaaS Platform

Satan RaaS offers crooks not only a platform to create their customized Satan ransomware but they provide a platform to handle the ransom payments as well. For this service, the RaaS developer takes a 30% share of the payments made by any victim.

Satan RaaS 1
Fig: Satan RaaS Promotion Snap

In order to use the Satan RaaS platform, users must register with the malware’s domain, “hxxp://satan6dll23napb5*onion”, hosted on the Dark Web.

Once a user has been registered with the domain, the user is provided with a ‘member console’ that contains various pages that can be used to create and distribute ransomware. These pages are the Malware, Droppers, Translate, Account, Notices, and Messages pages (shown below in figure).

Satan RaaS Ransomware Generation Page
Fig: Satan RaaS Ransomware Generation Page

Users now, in order to use Satan RaaS, require to connect a Bitcoin wallet to their account and specify a cost for decryption. However, in terms of customization, there are not really many options to offer. A user can specify the ransom amount and a number of days after which the ransom payment should be increased.

The Satan platform also provides features to their users like transaction tracking, version releases, and dropper creation. Users can also create their customized “ransom notes” in multiple languages.

Once done with all these steps, cyber criminals are then able to download malicious executable files, ready to infect victim PCs.

Anything About Satan Ransomware Delivery?

Satan RaaS platform also assists cyber crook in creating malicious Microsoft Word macros or CHM installers. These can then be used to distribute the ransomware via SPAM or other means.

Once a cyber criminal has got his or her own version of Satan Ransomware, it up to him/her to choose conveniently means to deliver the payload to the victims.

How does Satan Ransomware work?

When the Satan Ransomware infects victim computer, it first checks to see if it is running on a virtual machine, and if it is, will terminate. Once the ransomware is executed it will inject itself into TaskHost.exe and begin to encrypt the data on the computer. Satan Ransomware appends the encrypted file with the “.stn” extension.

It is currently unknown what encryption algorithm Satan uses and hence there is no free decryption service available. This factor contributes to the high threat level of Satan ransomware.