{"id":85822,"date":"2018-02-19T22:35:19","date_gmt":"2018-02-19T17:05:19","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=85822"},"modified":"2018-02-19T22:35:19","modified_gmt":"2018-02-19T17:05:19","slug":"new-saturn-ransomware-offers-ransomware-service","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/new-saturn-ransomware-offers-ransomware-service\/","title":{"rendered":"New Saturn Ransomware offers ransomware-as-a-service"},"content":{"rendered":"

Quick Heal Security Labs has come across a new ransomware called \u2018Saturn\u2019 currently doing the rounds which upon encryption appends \u201c. Saturn\u201d extension to the encrypted files.<\/p>\n

\u00a0<\/strong>Behaviour of Saturn Ransomware<\/strong><\/p>\n

Upon arrival on the host machine, Saturn ransomware checks whether it is a virtual environment or has any debuggers. If these checks are satisfied, it will not execute. It also checks whether the current system user is an administrator or not.<\/p>\n

\"\"<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Fig 1. Snippet showing anti-debugger check.<\/p>\n

After successful execution, Saturn fires the below command to disable Windows repair and backup<\/strong> option using Vssadmin.exe. Vssadmin.exe is used to create and manage shadow volume copies on the drive.<\/p>\n

    \n
  1. “C:\\Windows\\System32\\cmd.exe” \/C vssadmin.exe delete shadows \/all \/quiet & wmic.exe shadowcopy delete & bcdedit \/set {default} bootstatuspolicy ignoreallfailures & bcdedit \/set {default} recoveryenabled no & wbadmin delete catalog\u201d<\/li>\n
  2. \u201cC:\\Windows\\system32\\vssadmin.exe, vssadmin.exe delete shadows \/all \/quiet \u201c<\/li>\n<\/ol>\n

    After executing the above commands, Saturn starts its encryption activity. Our analysis says that ransomware basically encrypts Non-PE files and below are the extensions which it successfully encrypted while generating the scenario.<\/p>\n

    \u2018txt,pptx, ppt, csv, docm,wpd, wps, text, dif, xls, doc, xlsx, xlsm, docx, rtf, xml,pdf, cdr, 1cd, sqlite, wav, mp3,mid, mpa, obj, max, 3dm, 3ds, dbf, accdb, sql, pdb, mdb, wsf, apk, com, gadget, torrent, jpg, jpeg, tiff, tif, png, bmp, mp4, mov, gif, avi, wmv,ico, zip, rar, tar, backup, bak, json, php, cpp, asm, bat, vbs, class, java, jar, asp, lib,crt,pl, pem, vmx, vmdk, vdi, vbox,dat,cfg, config\u2019.<\/p>\n

    Saturn drops infection marker files and encrypted files has the following pattern.<\/p>\n

    \"\"<\/p>\n

    \u00a0 Fig.2<\/p>\n

    From the dropped infection marker files,\u2019.html,.txt and.BMP\u2019 have the ransom note whereas \u2018.vbs\u2019 has the voice notification alert.<\/p>\n

    Saturn drops the following ransom notes<\/strong><\/p>\n

    \"\"<\/p>\n

    \u00a0 \u00a0Fig 3<\/p>\n

    \"\"<\/p>\n

    \u00a0 \u00a0 \u00a0 \u00a0 Fig 4<\/p>\n

    \"\"<\/p>\n

    \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Fig 5<\/p>\n

    In order to pay the ransom, the user needs to visit the website \u201chttps:\/\/su34pwhpcafeiztt.onion\u201d using a Tor network where it asks for a decryption key and a captcha.<\/p>\n

    \"\"<\/p>\n

    \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Fig 6<\/p>\n

    When you log in, it displays the below page which contains the ransom to be paid and the time remaining to pay the ransom. If the ransom is not paid, after a week, the user must pay twice the previous ransom amount.<\/p>\n

    \"\"<\/p>\n

    \u00a0 \u00a0 \u00a0 \u00a0 Fig 7<\/p>\n

    Ransomware-as-a-Service<\/strong><\/p>\n

    Saturn usually spreads through spam emails and malicious advertisements. Recently, it has started its own propagation technique named \u201cRaaS: Ransomware- as-a-service\u201d.<\/p>\n

    In this technique, it lets users create a new Saturn ransomware stub. This stub can be embedded into PE or non-PE files. The propagator of this new ransomware will get 70% of the ransom money and the remaining 30% will be rewarded to the creator.<\/p>\n

    How Quick Heal protects its users from the Saturn ransomware<\/strong><\/p>\n

    Apart from the static detection, Quick Heal\u2019s Behaviour Detection<\/a> and Anti-Ransomware successfully eliminate this threat.<\/p>\n

    \"\"<\/p>\n

    \"\"<\/p>\n

    fig 8\u00a0 Anti Ransomware\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0fig 9\u00a0Behaviour Detection<\/p>\n

     <\/p>\n

    How to stay away from ransomware<\/strong><\/p>\n