Barkly vs Malware
Barkly Research
Jun 2018

Satan Relaunched as DBGer: The Evolution of Ransomware-as-a-Service

Satan-DBGer-RaaS-Evolution

Photo by Source

What one ransomware-as-a-service (RaaS) can tell us about the increasingly commoditized state of malware.

Today marks the one-year anniversary of the NotPetya outbreak. Even more so than WannaCry (which hit just one month prior), it was a seminal event that signaled a major shift in attacks. Rather than relying on a heavy volume of spam email campaigns to indiscriminately infect otherwise unconnected individuals, NotPetya instead introduced a blueprint for infiltrating larger networks with malware designed to land and expand.

That shift in focus to lateral movement was possible thanks to the adoption of two self-spreading mechanisms in particular: 

  1. Use of the EternalBlue exploit (also used by WannaCry) to gain access to machines via vulnerable SMB.  
  2. Use of a customized version of Mimikatz to dump credentials, which can then be used to gain access and deploy the malware on remote machines using admin tools like PsExec, WMI, etc. 

At the time, seeing these two mechanisms included in an attack was unprecedented, and the combination was unfortunately devastatingly effective in catching organizations unprepared. One year later, the damaging ripple effects of the attack are still being felt, particularly for companies like shipping giants FedEx and Maersk as they continue to pull themselves out of $400 million and $300 million-dollar holes, respectively. 

But the real legacy of NotPetya extends far beyond the direct damage it caused. Both it and WannaCry are now considered sophisticated but isolated attacks, likely the work of shadowy nation-state-sponsored threat actors. Just one year later, however, attacks with similar capabilities are launched every day. 

The key to the proliferation? Tools for creating and distributing malware like NotPetya and WannaCry have circulated downstream into the hands of common criminals, allowing them to launch their own attack campaigns regardless of technical skill or expertise.

Case in point: The Satan ransomware-as-a-service (RaaS) toolkit, which recently rebranded as "DBGer" and added a version of Mimikatz as one of its new "features." As a result, any would-be criminal can launch an attack that threatens to spread itself throughout compromised organizations just as NotPetya did. 

In this post, we'll take a closer look at Satan (now DBGer) and explain how several key changes made to it in the past year are indicative of just how influential NotPetya's focus on lateral movement has been on the world of cyber crime and malware.  

But before we dive in, a quick primer...

What is ransomware-as-a-service (RaaS) and how does it work?

For those who haven't come across the term before or need a refresher, here's a quick primer on how ransomware-as-a-service works:

  • Malware authors develop a new or updated strain of ransomware, but instead of keeping it to themselves, they invite other criminals to use it in exchange for a cut of each successful ransom payment.
  • In order to attract more customers or "affiliates," the malware creators will also typically create online management portals that make deploying and tracking the ransomware as easy as possible.
  • Many RaaS platforms also offer customization options that allow affiliates to choose ransom price, etc. Some even provide helpful tips and online support.
  • In addition to Satan/DBGer, other recent examples of active RaaS platforms include GandCrab, Saturn, and Data Keeper

From Satan to DBGer

Satan-DBGer-timeline

Click to expand

Launch and initial traction (January - October 2017)

Satan ransomware was launched in January 2017. Visitors to the RaaS portal (accessible on the dark web) were invited to use the service to create their own custom ransomware "in less than a minute." Unlike other RaaS platforms that charged an initial access or registration fee, Satan was free to try, with the authors behind the ransomware collecting a 30% fee on any profits generated. 

Customization options included the ability to set the ransom demand price and payment conditions, such as raising the price after a certain amount of days pass without payment. The RaaS portal also provided code for creating PowerShell and Python scripts that encrypt ransomware samples and help them avoid detection.

Customers were walked through steps to help them create "droppers" like malicious Microsoft Word docs and other installers for use in distributing the ransomware. As part of its service, Satan handled the collection of the ransom and distribution of payments (via Bitcoin), as well as the decryption process for victims who paid up. It even provided an account dashboard that tracked number of victims infected, amount of ransoms paid, etc.

With its intuitive user interface, Satan stood out and quickly gained traction. But with more and more RaaS portals appearing, competition increased. At the same time, during the latter half of the year, the ransomware boom finally started to go bust. Awareness of the threat reached a tipping point, with many organizations officially declaring it their top IT security priority. That focus resulted in new investments in endpoint security and backup solutions, which have helped to reduce the profitability of ransomware campaigns. As a result, many criminal groups have switched to deploying cryptomining malware over ransomware, thanks to its promise as a stealthier, more effective revenue generator. 

For the group behind Satan, this was a big problem. To stay relevant and keep customers interested they needed to offer more features. For inspiration, they turned to the attacks that were responsible for generating all this awareness and creating their problem to begin with — WannaCry and NotPetya.  

Adding EternalBlue and other exploits (November 2017 - May 2018)

In order to maximize the return on Satan campaigns, the authors behind the ransomware began to evolve their product to keep up with broader attack trends. Rather than designing the ransomware to infect individual victims, the group added capabilities to help it land and expand in corporate networks, maximizing its impact and raising the likelihood victims would pay. 

First on the list was a version of the EternalBlue exploit that had powered the WannaCry and NotPetya outbreaks, which security researcher @bartblaze spotted being incorporated into Satan ransomware samples as early as November 2017. 

Six months later, in May 2018, researchers at AlienVault discovered new versions of Satan that had added to their lateral movement repertoire with exploits targeting the following:

In each case, the authors appear to have used publicly-available implementations of the exploits, simply plugging the work of others into the RaaS offering. 

Rebranding to DBGer, adding Mimikatz and curl.exe (June 2018)

On June 14, 2018, MalwareHunterTeam discovered Satan had been rebranded as "DBGer," and relaunched with new features that were once again focused on increasing the ransomware's lateral movement capabilities. 

As @bartblaze pointed out, in addition to Mimikatz, the authors had also added:

Because there are no patches to prevent the abuse of these components, their addition is arguably even more concerning than the previous addition of EternalBlue (although, even a year later, many systems remain unpatched). 

The Satan/DBGer group hasn't been the only operation adding lateral movement capabilities. This is a growing trend, and, as a result, the types of attacks that we considered to be black swan events one year ago can now be launched every day. As Bleeping Computer's Catalin Cimpanu argues, "The development path we see taken by the Satan/DBGer crew is what we can expect in the coming months from most ransomware strains." 

What to do 

Thankfully, many organizations have already headed the warning call and applied Microsoft's patch for addressing EternalBlue. In addition, Microsoft researcher Jessica Payne offers some extremely helpful and pragmatic tips for how you can reduce the effectiveness of many of the most commonly abused lateral movement techniques with free and built-in tools:

And of course, whenever talking about ransomware, a reliable backup strategy is always an important part of the conversation, too.  

In addition, the emergence of RaaS platforms has put considerable stress on traditional antivirus solutions, which have difficulty keeping up with new and modified ransomware samples. For that reason, more and more organizations are moving away from traditional AVs in favor of security products like Barkly. 

Barkly blocks DBGer

Barkly-vs-DBGerThanks to its machine-learning powered file analysis, Barkly's Endpoint Protection Platform has blocked Satan ransomware variants from the very beginning, and it blocks DBGer samples, now. 

And thanks to its real-time behavior analysis, Barkly also blocks malicious attempts to steal credentials and conduct lateral movement, as well. As a result, Barkly provides organizations with defense-in-depth against threats like Satan/DBGer, and gives IT departments confidence knowing they're protected against the underlying techniques today's modern attacks rely on.

Learn more about how Barkly works and see what a customer has to say here

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.