Rewterz Threat Alert – Satan ransomware rebrands as 5ss5c ransomware

Monday, February 17, 2020

Severity

High

Analysis Summary

The cybercrime group that launched the Satan, DBGer and Lucky ransomware and perhaps Iron ransomware recently introduced a new version or rebranding named “5ss5c”. This version of the ransomware adds EternalBlue exploit and new functionalities.

It will download and leverage:

  • Spreader (EternalBlue and hardcoded credentials)
  • Mimikatz and what appears another password dumper/stealer
  • The actual ransomware

Indicators of compromise are given below.

Impact

  • Files Encryption
  • Credential theft
  • Information theft

Indicators of Compromise

From Email

5ss5c@mail[.]ru

MD5

  • e56b28203a66d88da2c951c9b47fb2c0
  • 8accffa5e7d5b14ee8109a8f99c72661
  • 756b6353239874d64291e399584ac9e5
  • ba008ae920251f962fdc0f80c27dd975
  • dc646bdbe28b453ba190a6356959d028
  • f56025565de4f53f5771d4966c2b5555
  • dfc0966397adcd590a4fba85d16bccf6
  • 0f371453cdab407283e2723b0c99c2f5
  • 680d9c8bb70e38d3727753430c655699
  • 853358339279b590fb1c40c3dc0cdb72
  • 09d45ae26830115fd8d9cdc2aa640ca5
  • 01a9b1f9a9db526a54a64e39a605dd30
  • ca3c0851c7451fc34dc37c2c53e2f70a

SHA-256

  • 47fa9c298b904d66a5eb92c67dee602198259d366ef4f078a8365beefb9fdc95
  • 8e348105cde49cad8bfbe0acca0da67990289e108799c88805023888ead74300
  • ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41
  • af041f6ac90b07927696bc61e08a31a210e265a997a62cf732f7d3f5c102f1da
  • a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f
  • ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18
  • e685aafc201f851a47bc926dd39fb12f4bc920f310200869ce0716c41ad92198
  • 68e644aac112fe3bbf4e87858f58c75426fd5fda93f194482af1721bc47f1cd7
  • ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f
  • ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
  • cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
  • 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc
  • 23205bf9c36bbd56189e3f430c25db2a27eb089906b173601cd42c66a25829a7

Source IP

  • 58[.]221[.]158[.]90
  • 61[.]186[.]243[.]2

URL

  • http[:]//58[.]221[.]158[.]90[:]88/car/cpt[.]dat
  • http[:]//58[.]221[.]158[.]90[:]88/car/down[.]txt
  • http[:]//58[.]221[.]158[.]90[:]88/car/c[.]dat

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in untrusted emails.
  • Do not click on URLs attached in untrusted emails.
  • Maintain a backup for all files.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 23, February 2020 Rewterz Threat Advisory – CVE-2019-16028 – Cisco Firepower Management Center
  • 17, February 2020 Rewterz Threat Alert – Satan ransomware rebrands as 5ss5c ransomware
  • 14, February 2020 Rewterz Threat Alert – Emotet Malware Hacks Nearby Wi-Fi Networks to Infect New Victims
  • 13, February 2020 Rewterz Threat Advisory – CVE-2020-3119 – Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution

Copyright © Rewterz. All rights reserved.