Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Satana Help and Support Topic - <!Satana!>.txt ransom Note


  • Please log in to reply
10 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:55 AM

Posted 30 June 2016 - 11:28 AM

A new ransomware has been discovered that encrypts your data and then installs a Bootlocker to prevent you from starting windows.

bootlocker.png


When a file is encrypted it will prepend an email address that the victim must email to the beginning of each encrypted file.

The known emails associated with this ransomware are:

Gricakova@techemail.com
ryanqw31@gmail.com
Sarah_G@ausi.com
rayankirr@gmail.com
matusik11@techemail.com
megrela777@gmail.com


BC AdBot (Login to Remove)

 


m

#2 y0d4

y0d4

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 30 June 2016 - 11:50 AM

hi, in text https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/ say that he encrypt unmapped network shares, how he do that?

 

tnx,



#3 BaronCardinal

BaronCardinal

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 AM

Posted 30 June 2016 - 02:24 PM

Fear mongering is a terrible thing. I like how it claims to give you the encryption key in 1-2 days as well.  Feels to me like you are never getting your files back from this one by paying anything.(In my opinion)

 

 

Out of curiosity I note that you include emails associated with this, is there a full list of this kind of thing? I was just wondering it would be helpful to cross correlate to see if one malware is linked to another.


Edited by BaronCardinal, 30 June 2016 - 02:27 PM.


#4 Allen

Allen

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:11:55 AM

Posted 30 June 2016 - 04:20 PM

hi, in text https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/ say that he encrypt unmapped network shares, how he do that?

 

tnx,

I'm assuming it scans the subset of IP addresses on your local network and checks to see if it can write to anything it finds (such as network attached storage devices) and if it can, it'll encrypt the contents of whatever it finds.


Edited by Allen, 30 June 2016 - 04:22 PM.

Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#5 graymatteron

graymatteron

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 01 July 2016 - 02:52 PM

hi, in text https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/ say that he encrypt unmapped network shares, how he do that?

 

tnx,

 

The built-in windows tool 'net' can be used to easily scan the network and return a list of accessible hosts, you can then use the same tool to scan each host in turn and return a list of share names.

 

For example:

 

C:\>NET VIEW

 

Server Name            Remark

-------------------------------------------------------------------------------

\\COMPUTER1

\\COMPUTER2

The command completed successfully.

 

 

C:\>NET VIEW \\COMPUTER1 /ALL

Shared resources at \\COMPUTER1

 

Share name  Type  Used as  Comment
 
-------------------------------------------------------------------------------
ADMIN$      Disk           Remote Admin
C$          Disk           Default share
IPC$        IPC            Remote IPC
The command completed successfully.

 

Any shares that aren't locked down with permissions could easily be accessed.



#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:55 AM

Posted 02 July 2016 - 05:00 AM

hi, in text https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/ say that he encrypt unmapped network shares, how he do that?
 
tnx,


Without giving the code away, its fairly trivial to enumerate the servers on a network and enumerate their shares. Surprised more ransomware do not do it.

#7 y0d4

y0d4

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 02 July 2016 - 09:44 AM

ah great, i was thinking that they using some other way.

well i suppose that un-mapping network drives and move file server to different subnet will prevent crypto to encrypt files on file server?

i will create shortcuts instead of mapping file shares for prevention..



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:55 AM

Posted 02 July 2016 - 11:21 PM

ah great, i was thinking that they using some other way.
well i suppose that un-mapping network drives and move file server to different subnet will prevent crypto to encrypt files on file server?
i will create shortcuts instead of mapping file shares for prevention..


If it is a shortcut a user can follow, software can follow it too, so I wouldn't rely on that too much. The best practice is to limit permissions on what certain users and groups have access to, and have BACKUPS.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 Allen

Allen

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:11:55 AM

Posted 03 July 2016 - 08:19 AM

 

ah great, i was thinking that they using some other way.
well i suppose that un-mapping network drives and move file server to different subnet will prevent crypto to encrypt files on file server?
i will create shortcuts instead of mapping file shares for prevention..


If it is a shortcut a user can follow, software can follow it too, so I wouldn't rely on that too much. The best practice is to limit permissions on what certain users and groups have access to, and have BACKUPS.

 

And keep offline backups ;)


Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#10 yalcrab

yalcrab

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 05 July 2016 - 10:03 PM

Any clues as to how this ransomware is being delivered?  Email?  Website links?  Other?

 

Thanks.



#11 AntiLockSoft

AntiLockSoft

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 08 August 2016 - 04:39 PM

This is write from me and my friend the unicum for decyipting and deactivation software for so strongly bootlocker virus SATANA https://www.google.com/search?q=ransomware.satana
Link for screenshot my deactivation software:





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users