{
	"id": "2992b913-6073-4f7b-9f06-ee171a05e037",
	"created_at": "2026-04-06T00:18:44.30048Z",
	"updated_at": "2026-04-10T13:13:09.447002Z",
	"deleted_at": null,
	"sha1_hash": "11ddae373d5436ff6a0dfcfc7b29d591fbe94fdb",
	"title": "DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1353503,
	"plain_text": "DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across\r\nNetworks\r\nBy Catalin Cimpanu\r\nPublished: 2018-06-14 · Archived: 2026-04-05 18:45:03 UTC\r\nThe authors of the Satan ransomware have rebranded their \"product\" and they now go by the name of DBGer ransomware,\r\naccording to security researcher MalwareHunter, who spotted this new version earlier today.\r\nThe change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose\r\ndiscovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also\r\nincorporates Mimikatz, an open-source password-dumping utility.\r\nThe purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently\r\nobserved trend in Satan's modus operandi.\r\nhttps://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nHistory of Satan ransomware\r\nThe Satan ransomware launched in January 2017 as a Ransomware-as-a-Service (RaaS) portal, allowing anyone to register\r\nand create custom versions of the Satan ransomware.\r\nFirst versions were unsophisticated, as most new ransomware variants tend to be. For a long time, the Satan crew rented its\r\nransomware to other crooks, who then distributed it to victims, mostly via email spam (malspam) campaigns.\r\nWith time, the ransomware gained a lot of reputation and clients on the criminal underground. The group behind the\r\nLockCrypt ransomware started as Satan RaaS customers before developing their own strain. Further, other ransomware devs\r\ntook inspiration from the Satan code, such as the Iron ransomware group.\r\nSatan devs learn from the WannaCry outbreak\r\nBut the Satan crew didn't stand idly either. As the ransomware scene evolved in 2017, they evolved as well.\r\nChanges in the ransomware scene of 2017 included self-spreading mechanisms (seen in the three ransomware outbreaks of\r\nlast year) and a move to infecting larger networks instead of home users (because of larger payouts and payout rate).\r\nAround November 2017, Satan devs started their plans of updating the ransomware to better fit these trends.\r\nThe first step they took was to incorporate a version of the EternalBlue SMB exploit. The addition of this exploit meant that\r\nafter Satan infected a computer, the ransomware would use EternalBlue to scan the local network for computers with\r\noutdated SMB services and infect them as well, maximizing an attack's impact.\r\nThis mechanism has been previously analyzed by security researcher Bart Parys in a blog post here.\r\nOther ransomware strains that used EternalBlue included WannaCry, NotPetya, and UIWIX, and all used it in a similar way.\r\nSatan ransomware also adds exploits\r\nThis focus on bolstering a lateral movement system continued in 2018, as the ransomware received another update to its\r\nlateral movement mechanism at the start of May.\r\nAlienVault experts noticed that new versions of Satan would also scan local networks and attempt to infect other computers\r\nusing one of the below exploits/methods:\r\nJBoss CVE-2017-12149\r\nWeblogic CVE-2017-10271\r\nTomcat web application brute forcing\r\nDBGer adds Mimikatz\r\nThe new (Satan) DBGer ransomware strain continues this focus on lateral movement. The new version spotted today works\r\nby dropping Mimikatz, dumping passwords for networked computers, and using these credentials to access and infect those\r\ndevices as well.\r\nhttps://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/\r\nPage 3 of 5\n\nThe development path we see taken by the Satan/DBGer crew is what we can expect in the coming months from most\r\nransomware strains.\r\nCybercrime gangs have understood by now that there is more money to be made from coin-mining campaigns rather than\r\nransomware. The groups who are still active on the ransomware scene will need to improve their code to maximize profits\r\nand adding self-spreading and lateral movement mechanisms is the simplest way to do that.\r\nThis is because self-spreading and lateral movement features in ransomware allow a crook the opportunity to infect and\r\nreceive multiple ransom payments just by fooling one absent-minded employee to open a boobytrapped file.\r\nIOCs:\r\nSha256:  1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd\r\nModification to file extensions:\r\nimage.png  -- \u003e  [dbger@protonmail.com]image.png.dbger\r\nRansom note:\r\n_How_to_decrypt_files.txt\r\nSome files have been encrypted\r\nPlease send ( 1 ) bitcoins to my wallet address\r\nIf you paid, send the machine code to my email\r\nI will give you the key\r\nIf there is no payment within three days,\r\nwe will no longer support decryption\r\nIf you exceed the payment time, your data will be open to the public download\r\nWe support decrypting the test file.\r\nSend three small than 3 MB files to the email address\r\nBTC Wallet : [redacted]\r\nEmail: dbger@protonmail.com\r\nYour HardwareID:\r\nhttps://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/\r\nhttps://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/"
	],
	"report_names": [
		"dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434724,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/11ddae373d5436ff6a0dfcfc7b29d591fbe94fdb.pdf",
		"text": "https://archive.orkl.eu/11ddae373d5436ff6a0dfcfc7b29d591fbe94fdb.txt",
		"img": "https://archive.orkl.eu/11ddae373d5436ff6a0dfcfc7b29d591fbe94fdb.jpg"
	}
}