A new ransomware called Satana was discovered by Malwarebyte​s security researcher S!Ri that packs a 2 in one punch. When installed, the Satana Ransomware will encrypt your files using a standard file crypter and then also install a bootlocker to prevent you from logging into Windows.  This bootlocker will display immediately before Windows starts and require a password before it will allow a victim to start Windows. The Satana Ransomware requires .5 bitcoins in order to get the decryption key.

Santana Bootlocker
Satana Bootlocker

When the Satana Ransomware is first installed it will scan all local drives and unmapped network shares for certain file types and encrypt then. The targeted file types are:

.bak, .doc, .jpg, .jpe, .txt, .tex, .dbf, .db, .xls, .cry, .xml, .vsd, .pdf, .csv, .bmp, .tif, .1cd, .tax, .gif, .gbr, .png, .mdb, .mdf, .sdf, .dwg, .dxf, .dgn, .stl, .gho, .v2i, .3ds, .ma, .ppt, .acc, .vpd, .odt, .ods, .rar, .zip, .7z, .cpp, .pas, .asm, 

When encrypting the files, it will append an email address and then three underscores to the filename. For example, test.jpg could become Sarah_G@ausi.com___test.jpg. The inserted email address is the one that a victim must contact after making payment in order to retrieve the decryption key. The email addresses that I have seen associated with this ransomware are:

Gricakova@techemail.com
ryanqw31@gmail.com
Sarah_G@ausi.com
rayankirr@gmail.com
matusik11@techemail.com
megrela777@gmail.com

At the same time, the ransomware will also install a bootlocker so that a user is unable to start Windows.  According to hasherezade, fixing the MBR will allow the victim to boot back into Windows again. Unfortunately, this still leaves the files encrypted.

Finally, the ransomware will create a ransom note called .txt on the desktop that contains instructions on how to pay the ransom. These instructions are the same that are shown in the bootlocker screen.

.txt Ransom Note

Unfortunately, at this time there is no way to decrypt Satana encrypted files for free. If anything is discovered, we will be sure to post about it. In the meantime, if you are interested in learning more about this infection you can read Malwarebytes article or use our .