Satan, Prince of Darkness, Spora and Other New Ransomware Variants of 2017

Posted by Geraldine Hunt on Tue, Feb 21st, 2017

Cybersecurity experts knew that fresh ransomware variants would be rapidly unveiled in 2017, continuing the successful legacy of the year prior which  saw ransomware revenues topping the $1 billion mark.  Unfortunately, the year thus far is probably exceeding expectations after new strains of the malicious malware entitled Popcorn Time and Spora were identified in January.  Now a new strain has unveiled its dark presence and is aptly named, Satan, Prince of Darkness.

Satan is the latest unveiled malware threat in the form of Ransomware as a Service or RaaS.  The premise behind RaaS is similar to most any Software as a Service offering in that a new variant of Ransomware is created and then marketed through distribution channels for customers to purchase. Hacker wannabees with little knowledge or skill set as well as regular folks with little or no scruples can subscribe to RaaS and essentially start a turnkey extortion business. Subscribers then distribute and deliver the nefarious malware to potential victims hoping for a hit.  Each time a victim pays a ransom in culmination of their efforts, the subscriber and the ransomware creator split the take. 

How Satan ransomware works

The Satan virus can be accessed via its dedicated website on the Tor network.  Unlike earlier forms of RaaS that charge an upfront fee that ranges anywhere from $39 to $400, Satan is free.  The site prominently posts the following explanation of its services:

• Satan is free.  You just have to register on the site
• Satan is very easy to deploy.  You can create your ransomware in less than a minute
• Satan uses TOR and Bitcoin anonymity
• Satan’s executable is only 170kb.

Besides the ransomware itself, the creators offer a number of additional features as well including fee payment records and transaction tracking so that subscribers can see how many instances were successful and the amount of their payouts.  In order to assist true amateurs, Satan provides easy to follow tutorials to assist subscribers in the creation of droppers that serve as the delivery mechanism of the malware through spam or drive by downloads. The Satan interface even includes an area in which subscribers can translate their ransomware into different languages in order to communicate with their victims to better guide them through the payment process.  Like most recent ransomware releases, there is a customer service portal that allows subscribers to issue service requests.  Once registered, subscribers are offered a public key for two-factor authentication and are required to connect a bitcoin wallet to their account in order to receive their share of the ransom payments.

For all of this, the creators of Satan only take a 30% cut although this commission rate can be negotiated once a subscriber achieves a high volume of successful transactions.  The recommended ransom is currently one bitcoin.

The Proliferation of Ransomware

Satan and other RaaS offerings are increasing the proliferation of ransomware as a greater volume of hackers, knowledgeable or not, partake in this profitable criminal activity.  Due to the sheer simplicity of subscribing and implementing the Satan business plan, this new release is sure to darken the year ahead.

Other New Variants of Ransomware

Ransomware creators continue to integrate innovations into their nefarious products.  Some of the latest features include:

• Fileless ransomware – This variant does not require the downloading of a dedicated file to implement the infection process.  Instead, malicious code is either embedded in a native scripting language or written straight into memory using legitimate administrative tools such as PowerShell according to cybersecurity experts.  The result is that nothing has to be written to disk which means that signature based AV applications cannot detect their presence.
• New variants are now targeting volume shadow snapshots and deleting them, subverting any attempts to restore from backup files.
• In late January, a nursing school in California experienced a ransomware attack that was implemented via a USB drive.  Not only were local files on the designated machine encrypted, the malware was able to attack the victim’s Google Drive as well since the Google synchronization service was running on the infected device.  As this was the victim’s only backup solution, all files were lost since the school decided against paying the ransom.  The good news was that the infection was limited to only one device as it was quickly disconnected from the network upon discovery.
• For the most part, ransomware has limited its target scope to the Windows operating system, however, new capabilities have been discovered in which cyber criminals are beginning to target both UNIX and Linux systems as well in order to expand their coverage and revenue possibilities.

Thankfully so far recorded infection and exposure rates to the Satan malware are low. Saying that, 2017 looks to be another dark year for network security thanks to the escalating rate at which new ransomware variants are coming to market. Ransomware is the fastest growing malware threat today. The pace of evolution is also increasing, with each new variant more sophisiticated and dangerous than its predecessor. Security technologies should be simple and easy to deploy, complexities only introduce risk. Security must be inherent and pervasive across the organisation, that includes the  entire network, the data center, on end points and in the cloud. Lean on your security vendors and leverage their in depth experience in order to increase your organisations security posture.