Satan is the name of variant produced by a ransomware-as-a-service (RaaS) platform that was discovered by security researcher Xylitol. This RaaS service, accessible only via the dark web, allows users to register an account and create ransomware campaigns. The hidden service homepage explains “how to make money with Satan” and states:

First of all, you’ll need to sign up. Once you’ve sign [sic] up, you’ll have to log into your account, create a new virus and download it. Once you’ve downloaded your newly created virus, you’re ready to start infecting people.

Once an account is created, the account holder can use Satan’s online console to configure settings such as choosing the ransom amount, the payment timeframe, and the amount it should increase if not paid within that timeframe. The account holder can also use the site to make a dropper for distribution, translate ransom notes into different languages, and track the amount of successful infections as well as the amount of ransom paid into the account. The owner of the service gives very clear and detailed instructions, completely eliminating the requirement of any technical skill for those looking to launch a ransomware attack. In return for using the service, the owner claims to charge 30% of the ransomware payments paid by the victims of the account holder.

Once the Satan ransomware variant infects a target system running Windows OS, it checks for the presence of a virtual machine (VM) and, if found, will terminate itself. If there is no VM, it will inject itself into TaskHost.exe and then begins the encryption process, appending .stn to the end of encrypted file names and dropping a note named HELP_DECRYPT_FILES.html in each folder. When that process is complete, Satan uses Microsoft’s command-line security tool, cipher.exe, to completely wipe the unused space on the system’s hard drive to prevent file restoration. It then displays a ransom note and payment instructions for the victim.

UPDATE 6/14/2018: Satan has been rebranded as DBGer. This variant incorporates the Mimikatz tool for lateral movement inside the compromised network.

  • Bleeping Computer provides more information about Satan here.

  • The NJCCIC is not currently aware of any free decryption tool available for Satan.

UPDATE 6/15/2019: Researchers spotted two Satan ransomware variants which are targeting the financial sector, some dropping Monero Miners. Also, a variant named Lucky is actively exploiting 10 vulnerabilities that affect both Windows and Linux-based servers. Satan has been observed propagating through the JBoss vulnerability (CVE-2017-10271), EternalBlue SMB exploit (CVE-2017-0143), and Apache Tomcat web application brute forcing.

  • FortiGuard Labs provides technical research and information here.