Satan's IT Ransom Note

If you are keeping up–to-date with the latest on ransomware attacks making the news these days, you may be aware of a newly discovered insidious piece of malware called Satana. Satana appears to be an offshoot, or third cousin, of another ransomware Trojan named Petya, that has kept IT security professionals on their toes in their ongoing battle to stay one-step ahead of the cyber criminal.

Here is what makes Satana more difficult to deal with than the older Petya: In order to do its evil deeds, Petya needed help from a second Trojan called Mischa, which then attacked the computer’s master file table and encrypted files that it was able to access through that table. Satana is much more self-sufficient and is perfectly capable of encrypting files on your computer without any help. More than that, instead of attacking the master file table, it attacks the Windows Master Boot Record, which not only corrupts rebooting, but also inserts code directly into the booting process. Users have no way of knowing that by simply rebooting their devices, they are unleashing this malware throughout their computers, infecting the devices and encrypting file after file.

The first clue comes as a ransom demand that starts:

“You had bad luck.” It then goes on to let you know that your files have been encrypted and that to free up these files you have to send them an email, with your personal code, that they so thoughtfully provide. Of course, the instructions continue on, explaining that you will also have to pay the “ransom” of one half a bitcoin ($340). And all this appears on your screen in bright red text on a jet-black background. The whole thing looks like pure evil, which, of course, it is. Some very smart people spent a lot of time and effort figuring out how to steal your money.

The amount of the ransom can vary greatly. This is very smart. The amounts they charge (steal) are usually small enough that it makes more sense for you to pay the ransom than try and fight them. A larger company may be asked for several thousand dollars while a small one, as in this instance, just a few hundred. Smart and effective.

On the other hand, while the $340 (or more) may not concern you that much, there may be considerable downtime that can have a very adverse effect on your business.

Kaspersky Lab, a consumer-oriented developer of anti-virus, anti-spyware, anti-spam and personal firewall products with more than 400,000,000 customers world-wide, has called Satana the “ransomware from hell.”

As for “good news”, Satana is still new and not yet widespread, and weaknesses and errors in its code have been discovered, so IT security researchers and managed IT service providers are working on methodology to severely limit its effects. It is still unknown how the virus will morph and what long-range problems it may cause.

The good news, for the time being, is that Satana is currently in its infancy stages; it is not widespread, and researchers have uncovered errors and weaknesses in its code. On the flip side, it appears that Satana is positioned to evolve over time, and with its comprehensive method of attack, it has the potential to become the next major threat in the ransomware world.

As always, follow the basic rules of cyber security:

·    Make sure your data is backed up regularly

·    Do not open email attachments unless you know who they are from

·    Have your IT service provider install both Crypto-Prevent and Crypto-Containment software. Crypto-Prevent keeps known viruses out. Crypto-Containment is a newer development. If a system does become infected, Crypto-Containment identifies it quickly and immediately locks down the infected files, preventing further spread of the infection. These files can then be deleted and replaced from the backup.

DynaSis is a managed IT service provider, serving the small to mid-sized business community for a quarter century. We have been at the forefront of cyber-security for many years and have been instrumental is developing methodology for fighting all forms of malware that is now used across the country.