Threat Database Ransomware SATANA Ransomware

SATANA Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 2
First Seen: June 28, 2016
Last Seen: March 5, 2019
OS(es) Affected: Windows

The SATANA Ransomware is an encryption ransomware Trojan that is used to force computer users to pay large amounts of money after taking their files hostage. The SATANA Ransomware seems to combine the attack methods of two known ransomware Trojans, Petya and MISCHA. The SATANA Ransomware enters a computer without alerting the victim and encrypts the victim's files. The SATANA Ransomware changes each file's name by adding the email address 'Gricakova@techemail.com' separated with an underscore. After the files have been encrypted, the SATANA Ransomware delivers a ransom note in the form of a pop-up message. The message contained in this pop-up note is also delivered in text files named '!the SATANA!.txt,' which are dropped in each directory where a file was encrypted.

The Ransom Amount Demanded by the SATANA Ransomware is as Scaring as Its Name

Victims of the SATANA Ransomware are forced to pay a ransom of 0.5 BitCoin (at the current exchange rate, one BitCoin is equivalent to approximately $645.65 USD). To make the payment, victims are urged to email the address 'banetnatia@mail.com' with a private identifying number that is included in the pop-up message. Supposedly, after sending the email, the victims will receive more instructions. According to the SATANA Ransomware message, the victims have one week to make the payment or will lose access to their files permanently. The SATANA Ransomware uses an asymmetric encryption that stores the decryption key on the remote server and away from the victim. The SATANA Ransomware has a feature that is not seen in many other ransomware threats. It seems that the SATANA Ransomware changes the affected computer's boot settings. The SATANA Ransomware uses rootkit methods, replacing the affected computer's Master Boot Record with a threat loader. Apart from this, the SATANA Ransomware reboots the infected computer repeatedly, preventing computer users from accessing their Desktop and files. Unfortunately, it may not be possible to recover the files encrypted by the SATANA Ransomware or restoring a computer without access to the decryption key.

A Further Analysis of the SATANA Ransomware

The SATANA Ransomware is similar to CryptoLocker, Locky, CryptoWall, Cerber, and various other ransomware Trojans. These threats tend to be very similar, demanding different ransom amounts and using different ransom notes, but in the end carrying out very similar attacks. The SATANA Ransomware's rootkit capabilities make this attack especially effective and threatening, and computer users should take steps to protect their computers from this threat. Like other, similar attack, the SATANA Ransomware is distributed through corrupted email messages and peer-to-peer file sharing networks.

The following is an example of the SATANA Ransomware' ransom note, displayed after the victim's computer was rebooted:

You had bad luck. There was crypting of all your files in a FS bootkit virus
To decrypt you need send on this E-mail: banetnatia@mail.com your private code: 14B4030A8A7F8B8D7B1101720567C27E and pay on a Bitcoin Wallet: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer!
E-mail: banetnatia@mail.com - this is our mail
CODE: 14B4030A8A7F8B8D7B1101720567C27E this is code; you must send
BTC: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T here need to pay 0,5 bitcoins
How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to
continue the normal download on your computer. Good luck! May God help you!

The threatening tone of the ransom note is not in vain; this is certainly a threat to be afraid of. Keeping a security copy of all files and using a reliable security program are the best methods to prevent these attacks from being devastating.

Trending

Most Viewed

Loading...