Bart Blaze: Cybercrime relaunches Satan ransomware, turning it into 5ss5c
Cybercrime relaunches Satan ransomware, turning it into 5ss5c. Cyber security researcher Bartblaze found out. According to the expert, the malware has been in development since November 2019 and has similar characteristics to its predecessor. Like this, in fact, it starts through a downloader and uses the EternalBlue exploit for its diffusion. In addition, it uses Enigma VirtualBox to package an additional add-on called “poc.exe”. The file executes a command line very similar to that of Satan. The two malicious codes, furthermore, share the exploitation of hard-coded credentials used to connect to an SQL database and both do not encrypt some specific files and folders but only the files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, now, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip.
Cyber Security Researchers: Malware, despite having already attacked several victims, is still under development and could expand the list of targets and spread
According to cyber security experts, the cybercrime group behind 5ss5c is the same, therefore, as the one that spread the ransomware Satan, DBGer and Lucky (maybe even Iron). In addition, it appears that although malware has already affected several victims in various countries, it is still under development. Interestingly, the ransomware note does not contain a Bitcoin address. Additionally, the note only contains instructions in Chinese, not Korean nor English like previous iterations. Is 5ss5c ransomware more targeted, or just actively being tested by the group/developers behind it? Cybercriminals probably are attempting to expand the target list and spread the malicious code. As a result, there is a risk that this will target other nations in the future in addition to those targeted in the last period.