Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Satan Ransomware Help & Support Topic: .STN extension & HELP_DECRYPT_FILES.html


  • Please log in to reply
7 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:59 PM

Posted 19 January 2017 - 02:48 PM

A new Ransomware as a Service, or RaaS called Satan Ransomware has been discovered. This ransomware will encrypt a victims data, scramble the encrypted file's name, and then append the .STN extension to the file name.

For example, a file called test.jpg may be encrypted as aswm.stn.

When it has finished encrypting a computer, it will display a ransom note named HELP_DECRYPT_FILES.html, which is displayed below. Unfortunately, there is no way to decrypt this ransomware at this time.

ransom-note.png



BC AdBot (Login to Remove)

 


m

#2 joe_b

joe_b

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 31 January 2017 - 10:10 AM

One of my clients was hit with this last week - local and network files were encrypted with .stn extensions.  Network files were restored but local files they have are still encrypted. Sucks.

 

Hopefully researchers are able to get a hold of the private keys in order for a decryption tool to be made.



#3 joe_b

joe_b

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 02 February 2017 - 04:48 PM

If anyone is researching this, I can provide several stn samples along with their un-encrypted version



#4 whyder

whyder

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 25 February 2017 - 03:02 PM

A (new) client contacted and they'd been hit with this with no backups. They had no choice but to pay the ransom. Bad news, they still wont decrypt the files. 

If you get hit with this don't pay them, if you do they're still not going to give you the files back.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 PM

Posted 25 February 2017 - 04:43 PM

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

Grinler (aka Lawrence Abrams), the site owner of Bleeping Computer has said this...

...Though the loss of your data and computer can be devastating, sending the ransom could be even more so. Depending on how the criminals want you to pay the ransom could put you at risk for Identity Theft as the information you send may contain personal information. Therefore, we suggest that you never pay a ransom unless it is absolutely necessary for data recovery...Last, but not least, it is important to remember that paying the ransom only continues to fuel the release of new variants of these types of programs.

Some ransomware victims have reported they paid the ransom and were successful in decrypting their data. Some victims reported they paid the ransom but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the key and decryption software they received did not work or resulted in errors. Still others have reported paying the ransom only to discover the criminals wanted more money or threatened to expose data unless additional payment was made. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all. In some cases victims may actually be dealing with scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid.

Keep all this in mind if you are considering paying the ransom since there is never a guarantee decryption will be successful or that the decrypter provided by the cyber-criminals will work as they claim...and using a faulty or incorrect decryptor may damage or corrupt the files even further. The criminals may even send you something containing more malware...so why should you trust anything provided by those who infected you in the first place.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 j_scott

j_scott

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 26 February 2017 - 06:17 PM

One of my clients was hit with satan last week, they had their backups deleted. They paid the ransom and were able to get their files back. Here's the private key and decrypter used: https://fhoqzxgahij5dl2u.onion.to/CtA9Ogm8



#7 whyder

whyder

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 27 February 2017 - 01:51 PM

I'm always against paying the ransom. In this case though the clients last backup was 2014 and they lost everything. There was no choice. 

 

The decryptor they provide doesn't work. The client is probably closing their business as a result.  There was no real choice but to try in this case. Just want to put the warning out there. Some ransomware when you're stuck if you pay you get your files back. Not this one.

 

 

 

 

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

Grinler (aka Lawrence Abrams), the site owner of Bleeping Computer has said this...

...Though the loss of your data and computer can be devastating, sending the ransom could be even more so. Depending on how the criminals want you to pay the ransom could put you at risk for Identity Theft as the information you send may contain personal information. Therefore, we suggest that you never pay a ransom unless it is absolutely necessary for data recovery...Last, but not least, it is important to remember that paying the ransom only continues to fuel the release of new variants of these types of programs.

Some ransomware victims have reported they paid the ransom and were successful in decrypting their data. Some victims reported they paid the ransom but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the key and decryption software they received did not work or resulted in errors. Still others have reported paying the ransom only to discover the criminals wanted more money or threatened to expose data unless additional payment was made. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all. In some cases victims may actually be dealing with scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid.

Keep all this in mind if you are considering paying the ransom since there is never a guarantee decryption will be successful or that the decrypter provided by the cyber-criminals will work as they claim...and using a faulty or incorrect decryptor may damage or corrupt the files even further. The criminals may even send you something containing more malware...so why should you trust anything provided by those who infected you in the first place.

 



#8 whyder

whyder

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 27 February 2017 - 01:53 PM

Thanks

 

I tried that decryptor but again no luck. The private keys are different for each system. A warning to people hit by it that this one is likely not worth paying as you're just losing money as well as files

 

 

 

One of my clients was hit with satan last week, they had their backups deleted. They paid the ransom and were able to get their files back. Here's the private key and decrypter used: https://fhoqzxgahij5dl2u.onion.to/CtA9Ogm8






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users