SATANA Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 100 % (High) |
Infected Computers: | 2 |
First Seen: | June 28, 2016 |
Last Seen: | March 5, 2019 |
OS(es) Affected: | Windows |
The SATANA Ransomware is an encryption ransomware Trojan that is used to force computer users to pay large amounts of money after taking their files hostage. The SATANA Ransomware seems to combine the attack methods of two known ransomware Trojans, Petya and MISCHA. The SATANA Ransomware enters a computer without alerting the victim and encrypts the victim's files. The SATANA Ransomware changes each file's name by adding the email address 'Gricakova@techemail.com' separated with an underscore. After the files have been encrypted, the SATANA Ransomware delivers a ransom note in the form of a pop-up message. The message contained in this pop-up note is also delivered in text files named '!the SATANA!.txt,' which are dropped in each directory where a file was encrypted.
The Ransom Amount Demanded by the SATANA Ransomware is as Scaring as Its Name
Victims of the SATANA Ransomware are forced to pay a ransom of 0.5 BitCoin (at the current exchange rate, one BitCoin is equivalent to approximately $645.65 USD). To make the payment, victims are urged to email the address 'banetnatia@mail.com' with a private identifying number that is included in the pop-up message. Supposedly, after sending the email, the victims will receive more instructions. According to the SATANA Ransomware message, the victims have one week to make the payment or will lose access to their files permanently. The SATANA Ransomware uses an asymmetric encryption that stores the decryption key on the remote server and away from the victim. The SATANA Ransomware has a feature that is not seen in many other ransomware threats. It seems that the SATANA Ransomware changes the affected computer's boot settings. The SATANA Ransomware uses rootkit methods, replacing the affected computer's Master Boot Record with a threat loader. Apart from this, the SATANA Ransomware reboots the infected computer repeatedly, preventing computer users from accessing their Desktop and files. Unfortunately, it may not be possible to recover the files encrypted by the SATANA Ransomware or restoring a computer without access to the decryption key.
A Further Analysis of the SATANA Ransomware
The SATANA Ransomware is similar to CryptoLocker, Locky, CryptoWall, Cerber, and various other ransomware Trojans. These threats tend to be very similar, demanding different ransom amounts and using different ransom notes, but in the end carrying out very similar attacks. The SATANA Ransomware's rootkit capabilities make this attack especially effective and threatening, and computer users should take steps to protect their computers from this threat. Like other, similar attack, the SATANA Ransomware is distributed through corrupted email messages and peer-to-peer file sharing networks.
The following is an example of the SATANA Ransomware' ransom note, displayed after the victim's computer was rebooted:
You had bad luck. There was crypting of all your files in a FS bootkit virus
To decrypt you need send on this E-mail: banetnatia@mail.com your private code: 14B4030A8A7F8B8D7B1101720567C27E and pay on a Bitcoin Wallet: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer!
E-mail: banetnatia@mail.com - this is our mail
CODE: 14B4030A8A7F8B8D7B1101720567C27E this is code; you must send
BTC: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T here need to pay 0,5 bitcoins
How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to
continue the normal download on your computer. Good luck! May God help you!
The threatening tone of the ransom note is not in vain; this is certainly a threat to be afraid of. Keeping a security copy of all files and using a reliable security program are the best methods to prevent these attacks from being devastating.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.