Thanks to its availability as a ransomware-as-a-service (RaaS) platform, Satan ransomware is bringing digital extortion capabilities to the criminal masses.
Satan Ransomware Overview
Satan was first discovered by security researcher Xylitol in January 2017, and it has since quickly gained notoriety as a relatively polished ransomware-as-a-service operation. Rather than distributing the ransomware solely themselves, the developers behind Satan have made it available to any would-be criminal eager to get in on the ransomware racket. All they have to do is sign up and Satan provides them with everything they need to start launching custom ransomware campaigns.
Because the launch of Satan and other ransomware-as-a-service platforms is actively lowering the barrier of entry for criminals, companies need to be prepared for larger volumes and varieties of attacks.
Quick Facts on Satan's RaaS Platform
Satan's ransomware-as-a-service dashboard. Source: Bleeping Computer
- Satan allows would-be criminals to create working ransomware samples for free.
- Criminals who use the service receive 70% of ransom profits, with 30% going to Satan's developers.
- Customization options include the ability to set the ransom demand price and payment conditions, such as raising the price after a certain amount of days go by without payment.
- Satan's RaaS portal provides code for creating PowerShell and Python scripts that encrypt ransomware samples and help them avoid detection.
- The portal also walks criminals through steps to create "droppers" like malicious Microsoft Word docs and other installers for use in distributing the ransomware.
- As part of its service, Satan handles the collection of the ransom and distribution of payments (via Bitcoin), as well as the decryption process for victims who pay up. It also provides an account dashboard that tracks number of victims infected, amount of ransoms paid, etc.
Quick Facts on Satan Ransomware, Itself
- Satan will not fully launch if it determines it is running on a virtual machine.
- Encrypted files will have their file names scrambled and extensions changed to .stn.
- Spora encrypts victims' files using RSA and AES encryption.
- Unfortunately, there are no free decryption tools or services for recovering files encrypted by Satan at this time.
Stopping Satan with Barkly's Runtime Malware Defense
Barkly utilizes runtime malware defense (RMD) to stop Satan ransomware infections before files are encrypted or any other damage is done (see it in action in the video above). By monitoring activity across mulitple layers of the system in real-time, Barkly can see when malware like Satan is attempting to gain execution by suspicious means and stop it before it does.
Why blocking malware during runtime matters
By detecting and blocking malicious behaviors in real-time, Barkly is able to stop malware regardless of how well it was disguised. It may be a brand new variant that no AVs have signatures for, or it may utilize fileless techniques to bypass file scanning altogether. It doesn't matter. Once it tries to do something malicious, Barkly sees it and stops it.
That gives organizations crucial protection they're currently missing — another opportunity to block an attack even after a user has mistakenly opened an infected document, visited an malicious website, etc., and even after it's bypassed their AV.