Satan ransomware first appeared in early 2017, and since then threat actors have been constantly improving the malware to infect its victims more effectively and to maximize its profits.
Satan ransomware uses several methods to propagate across both public and private networks. It implements multi-threading to increase the efficiency of the attacks. When propagating across private networks, a sweep is performed to identify all hosts on the victim network. For public networks, the C2 server defines the IPs that should be scanned by the spreader. Once targets are identified, exploit attempts begin by leveraging SSH brute force attacks and numerous web exploits. In the case of the Windows spreader, the EternalBlue exploit and Mimikatz are also used. After attempts are completed, the spreader notifies the C2 server of all executed exploits. The most recent variants of both the Windows and Linux spreaders added exploit payloads for Spring Data, ElasticSearch, and ThinkPHP vulnerabilities.
Indicators of Compromise
IP(s) / Hostname(s)
Malware Hash (MD5/SHA1/SH256)