Satana targets Windows OS and the method of distribution is currently unknown. After a system is infected with Satana, it displays a User Account Control (UAC) pop-up notification asking the victim to allow a program from an unknown publisher to make changes to the computer. This notification is repeatedly displayed until the victim clicks “Yes.” After the victim agrees to allow the changes, Satana then delivers a portable executable (PE) file, or dropper, that injects code into the Master Boot Record (MBR) designed to prevent Windows from booting after the system is restarted. Once that process is complete, Satana proceeds to encrypt targeted files and drop ransom notes named !satana!.txt in each associated folder. Files encrypted by Satana are renamed in the following fashion: <email_address>_<original_name> with the email address being randomly chosen from a preselected pool coded into the ransomware. It also prevents file restoration by deploying vssadmin.exe to delete Shadow Volume Copies. The randomly generated key used for encryption is transmitted from Satana’s C2 server but, if that connection is prevented or interrupted, the key could be lost preventing victims who pay the ransom from being able to decrypt their files. The MBR can be repaired or restored from backup without paying the ransom but this will not decrypt encrypted files. Satana demands a ransom payment of 0.5 Bitcoin.

  • Malwarebytes provides more information about Satana here.
  • Kaspersky also provides more information about Satana here.
  • The Windows Club provides detailed instructions on how to repair the MBR here.
  • The NJCCIC is not currently aware of any free decryption tools available for Satana.