This is an advisory on DBGer Ransomware; a New Variant of Satan Ransomware, which attacks and encrypts the victim’s host and requests a bitcoin payment.
A new variant of Satan Ransomware was identified as DBGer. It works by dropping Mimikatz, dumping passwords for networked computers. The obtained credentials are then used to access and infect those devices. The malware also drops several EternalBlue files in the victim’s host. EternalBlue is used to scan the local network for computers with outdated SMB services and infects them.
The Satan ransomware also uses other exploits to propagate through networks. The DBGer exploits include:
Satan Ransomware was first discovered by security researchers in January 2017 as a Ransomware-as-a-Service (RaaS), which is now rebranded to the name DBGer Ransomware, as discovered by the MalwareHunter, whose Modus Operandi has also been changed. The new variant DBGer also uses the EternalBlue exploit and incorporates Mimikatz, an open-source password-dumping utility.
Satan Ransomware was identified as using the EternalBlue exploit to spread across compromised environments. This is the same exploit associated with a previous WannaCry Ransomware campaign. In March 2017, Microsoft patched the vulnerability associated with EternalBlue. However, many environments still remain vulnerable to it.
A cyber-attack involving ransomware means that the attacker encrypts the data on the compromised device and then asks for a bitcoin payment as ransom. If the attacked organization does not pay the ransom, the attacker has the monopoly of destroying the data of the compromised device or it may remain encrypted and the user fails to access it.
The sample of the variant observed by MalwareHunter was packed with the MPRESS packer as shown below.
Sts.exe initiates the process of spreading across the network by scanning all the systems within the same network segment. Through the following command line, systems vulnerable to SMB EternalBlue exploit will execute the previously dropped library down64.dll.
The down64.dll attempts to load code in the target’s memory, and then downloads sts.exe, using the legitimate Microsoft certutil.exe tool. This is a known download technique described as Remote File Copy – T1105 in Mitre ATT&CK.After infecting other systems in the same network, the sample finally drops Satan Ransomware into C:\Satan.exe file. This executable is also packed with MPRESS as the original sample.
Executing Satan.exe starts the ransomware attack, which first stops the following processes:
The ransomware then proceeds to encrypt the data on the compromised device. After encryption, Satan.exe creates a note in C:\_How_to_decrypt_files.txt with instructions, and then executes notepad to open the note.
The note contains the instructions to decrypt the system and a contact email address: satan_pro@mail[.]ru, requesting a Bitcoin payment as seen below in a sample of the note:
If you think you are a victim of a cyber-security attack. Immediately send an email to email@example.com for a rapid response.