{
	"id": "bb4fe47b-256c-4cab-b7c8-a2557e6a34b1",
	"created_at": "2026-04-06T00:12:13.604075Z",
	"updated_at": "2026-04-10T03:21:03.452509Z",
	"deleted_at": null,
	"sha1_hash": "21f04f791f9218a86bcbb6ae30abcee0605b4f02",
	"title": "New Satan Ransomware available through a Ransomware as a Service.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2123051,
	"plain_text": "New Satan Ransomware available through a Ransomware as a Service.\r\nBy Lawrence Abrams\r\nPublished: 2017-01-19 · Archived: 2026-04-05 19:15:55 UTC\r\nA new Ransomware as a Service, or RaaS, called Satan has been discovered by security researcher Xylitol.  This service\r\nallows any wannabe criminal to register an account and create their very own customized version of the Satan Ransomware.\r\nOnce the ransomware is created, it is then up to the criminal to determine how they will distribute the ransomware, while the\r\nRaaS will handle the ransom payments and adding new features. For this service, the RaaS developer takes a 30% cut of any\r\npayments that are made by victims.  According to the advertisement for the Satan RaaS, the developer will reduce their cut\r\ndepending on the volume of payments received by an affiliate.\r\nPromoting on Underground Web Sites\r\nSource: Xylitol\r\nThe Satan RaaS\r\nWhen a person first goes to the Satan RaaS they will be greeted with a home page that describes what the service is and how\r\na criminal can make money with it.\r\nhttps://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/\r\nPage 1 of 8\n\nSatan RaaS Home Page\r\nOnce a user registers an account and logs in, they will be greeted with an affiliate console that contains various pages that\r\nthey can use to help distribute their ransomware. These pages are the Malwares, Droppers, Translate, Account, Notices, and\r\nMessages pages.\r\nhttps://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/\r\nPage 2 of 8\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/\r\nPage 3 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nThe first page that is shown when someone logs in is the Malwares page, which allows a criminal to configure various\r\nsettings of their very customized version of the Satan Ransomware. In terms of customization, there is not really many\r\noptions. A user can specify the ransom amount, how much it goes up after a certain amount of the days, and the amount of\r\ndays that the ransom payment should increase.\r\nSatan RaaS Ransomware Generation Page\r\nThe Droppers page, shown below, provides code that assists the affiliate in creating malicious Microsoft Word macros or\r\nCHM installers. These can then be used by the affiliate to distribute the ransomware via SPAM or other means.\r\nThis the first time I have seen a public RaaS like this offer tips and help to the affiliates when it comes to distribution\r\nmethods.  This type of hand holding could allow a curious affiliate to become an active one.\r\nhttps://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/\r\nPage 4 of 8\n\nSatan RaaS Droppers Page\r\nThe Translate page allows affiliates to expand the languages used by Satan for the ransom notes. \r\nhttps://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/\r\nPage 5 of 8\n\nSatan RaaS Translation Page\r\nThe Account page is where the affiliate can see the amount of people infected, the amount paid, and other information.\r\nSatan RaaS Account Information Page\r\nFinally there is a Notices page, which will be used to display messages from the RaaS developer, and a Messages page that\r\ncan be used for \"customer service\" requests.\r\nAs for the Satan Ransomware Itself...\r\nWhen the Satan Ransomware is installed it will check to see if it is running under a virtual machine, and if it is, will\r\nterminate. Once executed it will inject itself into TaskHost.exe and begin to encrypt the data on the computer. It is currently\r\nunknown what encryption algorithm Satan uses, but it will target files with the following extensions:\r\nhttps://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/\r\nPage 6 of 8\n\n.incpas, .mp4, .pab, .st6, .sas7bdat, .wmv, .backup, .drf, .ibank, .3ds, .odg, .cer, .tif, .cs, .dotx, .7z, .png, .bak, .\r\nWhen it has encrypted a file, it will scramble its name and append the .stn extension to the file. For example, test.jpg may\r\nbecome ahasd.stn. While encrypting files it will also create a ransom note called HELP_DECRYPT_FILES.html in each\r\nfolder that a file has been encrypted. \r\nWhen it has finished encrypting the computer, it will execute the C:\\Windows\\System32\\cipher.exe\" /W:C command to\r\nwipe all data from the unused space on the C: Drive.\r\nFinally it will display the ransom note, which contains a unique victim ID and a URL to a TOR payment site.\r\nSatan Ransomware Ransom Note\r\nWhen a victim clicks on one of the enclosed URLs they will be brought to Satan's payment site where they can get payment\r\ninstructions.\r\nSatan Ransomware Payment Site\r\nUnfortunately, at this time there is no way to decrypt the files for free. For those who wish to discuss this ransomware or\r\nreceive support, you can use our dedicated help topic: Satan Ransomware Help \u0026 Support Topic.\r\n \r\nhttps://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/\r\nPage 7 of 8\n\nAssociated Satan Ransomware Files:\r\nHELP_DECRYPT_FILES.html\r\nNetwork Communication:\r\nhttps://ejmv6pxsuwqrofa3.onion.to\r\nhttps://satan6dll23napb5.onion.to\r\nhttps://satan6dll23napb5.onion.cab\r\nhttp://satan6dll23napb5.onion.tor2web.org\r\nsatan6dll23napb5.onion\r\nHashes:\r\nSHA256: c04836696d715c544382713eebf468aeff73c15616e1cd8248ca8c4c7e931505\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/\r\nhttps://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/"
	],
	"report_names": [
		"new-satan-ransomware-available-through-a-ransomware-as-a-service-"
	],
	"threat_actors": [],
	"ts_created_at": 1775434333,
	"ts_updated_at": 1775791263,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21f04f791f9218a86bcbb6ae30abcee0605b4f02.pdf",
		"text": "https://archive.orkl.eu/21f04f791f9218a86bcbb6ae30abcee0605b4f02.txt",
		"img": "https://archive.orkl.eu/21f04f791f9218a86bcbb6ae30abcee0605b4f02.jpg"
	}
}