In early January 2020, a new ransomware named ‘SatanCryptor’ was discovered. After it performs file encryption, it will drop a ransom note named “# SATAN CRYPTOR #.hta” and append ‘.satan’ as a file extension to the encrypted files. In addition, SatanCryptor will delete itself after the execution to hide its persistence.
Figure 1: Screenshot of the ransom note
Figure 2: Screenshot of the list of encrypted files by SatanCryptor and dropped ransom note.
This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against SatanCryptor Ransomware.
Behavioral Summary
The following are the display of process chart and event log by SatanCryptor from CB Threat Hunter.
Figure 3: Process chart of SatanCryptor (The cmd command was executed to delete the executable of SatanCryptor.)
Figure 4: Part of the event logs from SatanCryptor.
In addition, CB Defense will display the malware’s overall triggered TTPs.
To learn more about how to defend against this attack, click here.
Remediation:
MITRE ATT&CK TIDs
| TID | Tactics | Technique |
|---|---|---|
| T1045 | Defense Evasion | Software Packing |
| T1027 | Defense Evasion | Obfuscated Files or Information |
| T1143 | Defense Evasion | Hidden Window |
| T1083 | Discovery | File and Directory Discovery |
| T1071 | Command and Control | Standard Application Layer Protocol |
| T1036 | Defense Evasion | Masquerading |
| T1082 | Discovery | System Information Discovery |
| T1497 | Defense Evasion, Discovery | Virtualization/Sandbox Evasion |
| T1119 | Collection | Automated Collection |
| T1081 | Credential Access | Credentials in Files |
| T1005 | Collection | Data from Local System |
| T1486 | Impact | Data Encrypted for Impact |
Indicators of Compromise (IOCs)
| Indicator | Type | Context |
|---|---|---|
| dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876 | SHA256 | SatanCryptor Ransomware |
| 057aad993a3ef50f6b3ca2db37cb928a | MD5 | SatanCryptor Ransomware |
| extreme-ip-lookup.com | URL | Domain used by ransomware to check IP |
