Barkly vs Malware
Barkly Research
Mar 2017

Blocking Satan Ransomware

Thanks to its availability as a ransomware-as-a-service (RaaS) platform, Satan ransomware is bringing digital extortion capabilities to the criminal masses.


Satan Ransomware Overview

Satan was first discovered by security researcher Xylitol in January 2017, and it has since quickly gained notoriety as a relatively polished ransomware-as-a-service operation. Rather than distributing the ransomware solely themselves, the developers behind Satan have made it available to any would-be criminal eager to get in on the ransomware racket. All they have to do is sign up and Satan provides them with everything they need to start launching custom ransomware campaigns.

Because the launch of Satan and other ransomware-as-a-service platforms is actively lowering the barrier of entry for criminals, companies need to be prepared for larger volumes and varieties of attacks. 

Quick Facts on Satan's RaaS Platform


Satan's ransomware-as-a-service dashboard. Source: Bleeping Computer

  • Satan allows would-be criminals to create working ransomware samples for free.
  • Criminals who use the service receive 70% of ransom profits, with 30% going to Satan's developers.  
  • Customization options include the ability to set the ransom demand price and payment conditions, such as raising the price after a certain amount of days go by without payment.
  • Satan's RaaS portal provides code for creating PowerShell and Python scripts that encrypt ransomware samples and help them avoid detection.
  • The portal also walks criminals through steps to create "droppers" like malicious Microsoft Word docs and other installers for use in distributing the ransomware.
  • As part of its service, Satan handles the collection of the ransom and distribution of payments (via Bitcoin), as well as the decryption process for victims who pay up. It also provides an account dashboard that tracks number of victims infected, amount of ransoms paid, etc.

Quick Facts on Satan Ransomware, Itself

  • Satan will not fully launch if it determines it is running on a virtual machine.
  • Encrypted files will have their file names scrambled and extensions changed to .stn.
  • Encrypts victims' files using RSA and AES encryption. 
  • Unfortunately, there are no free decryption tools or services for recovering files encrypted by Satan at this time.


Stopping Satan with Barkly

Barkly blocks Satan ransomware infections before files are encrypted or any other damage is done (see it in action in the video above). By monitoring activity across multiple layers of the system in real-time, Barkly can see when malware like Satan is attempting to gain execution by suspicious means and stop it before it does. 

Why blocking malware using defense-in-depth matters

By detecting and blocking not only malicious executables, but also malicious behaviors in real-time, Barkly is able to stop malware regardless of how well it was disguised. It may be a brand new variant that no AVs have signatures for, or it may utilize fileless techniques to bypass file scanning altogether. It doesn't matter. Once it tries to do something malicious, Barkly sees it and stops it. 

That gives organizations crucial protection they're currently missing — another opportunity to block an attack even after a user has mistakenly opened an infected document, visited an malicious website, etc., and even after it's bypassed their AV. 

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.