Crooks are working on a new brand of ransomware that messes with your master boot record (MBR), just likedid last March.
Called Satana (“Satan” in a few Romance languages), this ransomware is a mix between classic ransomware and Petya.
Satana works by encrypting your files using the same methods other ransomware families use. For each encrypted file, Satana prepends the crook’s email address to each file like so: “firstname.lastname@example.org____filename.extension”
Satana then encrypts the MBR and replaces with its own. The first time when a user reboots his computer, Satana’s MBR boot code will load and the computer won’t start, showing Satana’s ransom note.
Paying the ransom won’t always help
Security researcher hasherezade fromsays it may be possible to recover the original MBR, but this won’t necessarily retrieve the rest of the encrypted files. Recovering MBR records via Windows’ cumbersome command-line interface is something that very few people are able to properly follow through, so even this procedure isn’t 100% sure to help users regain access to their PC.
The encryption algorithm used on the rest of the files is very powerful and can’t be brute-forced, leaving the files locked unless the user decides to pay the ransom, something which hasherezade doesn’t advise.
“[E]ven victims who pay may not get their files back if they (or the C&C) went offline when encryption happened,” she writes.
Satana is a work-in-progress
According to the Malwarebytes analyst, the ransomware looks like a work-in-progress, as its developers are still tinkering with its code, which also contains a lot of bugs, so this might not be the last time when we hear about Satana.
After Petya appeared in March, a month later, security researchers foundlocked with this threat.
A month after that, in May, crooks switched to delivering Petya bundled with a second ransomware, which was a regular ransomware that locked files, while Petya locked the MBR. Satana seems an evolution of this latter idea.