# New Satan Ransomware available through a Ransomware as a Service. **[bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-](https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/)** By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) January 19, 2017 03:10 PM 5 [A new Ransomware as a Service, or RaaS, called Satan has been discovered by security](https://twitter.com/Xylit0l/status/821757718885236740) [researcher Xylitol. This service allows any wannabe criminal to register an account and](https://twitter.com/Xylit0l) create their very own customized version of the Satan Ransomware. Once the ransomware is created, it is then up to the criminal to determine how they will distribute the ransomware, while the RaaS will handle the ransom payments and adding new features. For this service, the RaaS developer takes a 30% cut of any payments that are made by victims. According to the advertisement for the Satan RaaS, the developer will reduce their cut depending on the volume of payments received by an affiliate. **Promoting on Underground Web Sites** Source: Xylitol ----- ## The Satan RaaS When a person first goes to the Satan RaaS they will be greeted with a home page that describes what the service is and how a criminal can make money with it. **Satan RaaS Home Page** Once a user registers an account and logs in, they will be greeted with an affiliate console that contains various pages that they can use to help distribute their ransomware. These pages are the Malwares, Droppers, Translate, Account, Notices, and Messages pages. The first page that is shown when someone logs in is the Malwares page, which allows a criminal to configure various settings of their very customized version of the Satan Ransomware. In terms of customization, there is not really many options. A user can specify the ransom amount, how much it goes up after a certain amount of the days, and the amount of days that the ransom payment should increase. ----- **Satan RaaS Ransomware Generation Page** The Droppers page, shown below, provides code that assists the affiliate in creating malicious Microsoft Word macros or CHM installers. These can then be used by the affiliate to distribute the ransomware via SPAM or other means. This the first time I have seen a public RaaS like this offer tips and help to the affiliates when it comes to distribution methods. This type of hand holding could allow a curious affiliate to become an active one. ----- **Satan RaaS Droppers Page** The Translate page allows affiliates to expand the languages used by Satan for the ransom notes. ----- **Satan RaaS Translation Page** The Account page is where the affiliate can see the amount of people infected, the amount paid, and other information. ----- **Satan RaaS Account Information Page** Finally there is a Notices page, which will be used to display messages from the RaaS developer, and a Messages page that can be used for "customer service" requests. ## As for the Satan Ransomware Itself... When the Satan Ransomware is installed it will check to see if it is running under a virtual machine, and if it is, will terminate. Once executed it will inject itself into TaskHost.exe and begin to encrypt the data on the computer. It is currently unknown what encryption algorithm Satan uses, but it will target files with the following extensions: ----- ``` .incpas, .mp4, .pab, .st6, .sas7bdat, .wmv, .backup, .drf, .ibank, .3ds, .odg, .cer, .tif, .cs, .dotx, .7z, .png, .bak, .ibz, .db3, .pbl, .3fr, .dxf, .nk2, .bkp, .mdf, .svg, .xlm, .3dm, .pct, .java, .pot, .sxi, .ibd, .sxw, .pspimage, .ppt, .kbx, .ppsm, .ndd, .txt, .pdb, .say, .backupdb, .fla, .swf, .asx, .accdt, .mp3, .ycbcra, .erf, .cr2, .pfx, .potx, .qby, .sqlite, .blend, .class, .pat, .odp, .gray, .qbw, .tib, .thm, .htm, .mos, .rm, .key, .std, .tlg, .lua, .pst, .sqlitedb, .grey, .cdr4, .dc2, .ce1, .ps, .tex, .eml, .xlam, .pages, .st8, .jar, .st7, .potm, .sdf, .db-journal, .pcd, .aspx, .rwl, .kpdx, .fmb, .xlr, .gry, .kc2, .oil, .moneywell, .xlk, .sti, .accdr, .oth, .c, .xml, .nd, .mdb, .pem, .erbsql, .bpw, .ffd, .ost, .pptm, .dwg, .zip, .qbm, .cdx, .des, .dng, .pdd, .cfp, .nyf, .cgm, .sldm, .xla, .odf, .raf, .crw, .mef, .raw, .x11, .nsd, .fff, .design, .dcs, .ptx, .al, .ns2, .bik, .back, .accdb, .nwb, .cpi, .ads, .odt, .sqlite3, .docm, .drw, .pl, .nx2, .fpx, .rdb, .otp, .msg, .accde, .agdl, .php, .csv, .py, .rtf, .ach, .sda, .ddd, .asf, .dotm, .cmt, .h, .hbk, .xlsx, .s3db, .tga, .wav, .iif, .dxb, .sql, .db, .sd0, .bgt, .djvu, .jpg, .doc, .craw, .mpg, .sxd, .kdc, .jpeg, .psafe3, .flac, .dtd, .act, .qba, .vob, .cdrw, .eps, .bkf, .mdc, .rar, .mov, .cdf, .m4v, .ab4, .bank, .pps, .cib, .dot, .dgc, .exf, .flv, .xlsb, .ddrw, .adb, .srw, .plc, .csh, .xls, .fxg, .otg, .pas, .xlt, .indd, .rwz, .xltx, .apj, .stw, .xltm, .orf, .ott, .qbb, .max, .cls, .obj, .docx, .dcr, .cdr3, .qbx, .pdf, .nef, .ots, .srt, .ddoc, .rat, .phtml, .m, .dbx, .nxl, .avi, .p12, .awg, .dbf, .ns3, .mmw, .prf, .wallet, .rw2, .jin, .odc, .qbr, .ppsx, .ns4, .wpd, .wps, .nsh, .dxg, .fhd, .dac, .wb2, .nrw, .odb, .ait, .jpe, .odm, .sldx, .fdb, .acr, .war, .oab, .sxc, .cpp, .r3d, .hpp, .asm, .st5, .stx, .xis, .dds, .xlsm, .p7c, .cdr5, .3g2, .mrw, .sr2, .html, .cdr, .idx, .st4, .bdb, .kdbx, .nsg, .der, .ods, .myd, .nop, .ppam, .pptx, .yuv, .xlw, .mfw, .nsf, .csl, .php5, .p7b, .crt, .asp, .srf, .jsp, .cdr6, .sxm, .iiq, .3gp, .ce2, .arw, .bay, .ai, .sxg, .psd, .3pr, .fh, .pef, .x3f, .sik, .bpp, .vmdk, .spi, .bup, .cvt, .bb, .fkc, .tjl, .dbk, .swp, .fb, .vib, .dtb, .bke, .old, .bkc, .jou, .rpb, .abk, .sav, .bkn, .tbk, .fbw, .vrb, .spf, .bk, .sbk, .umb, .ac, .vbk, .wbk, .mbk ``` When it has encrypted a file, it will scramble its name and append the .stn extension to the file. For example, test.jpg may become ahasd.stn. While encrypting files it will also create a ransom note called HELP_DECRYPT_FILES.html in each folder that a file has been encrypted. When it has finished encrypting the computer, it will execute the **C:\Windows\System32\cipher.exe" /W:C command to wipe all data from the unused** space on the C: Drive. Finally it will display the ransom note, which contains a unique victim ID and a URL to a TOR payment site. ----- **Satan Ransomware Ransom Note** When a victim clicks on one of the enclosed URLs they will be brought to Satan's payment site where they can get payment instructions. **Satan Ransomware Payment Site** ----- Unfortunately, at this time there is no way to decrypt the files for free. For those who wish to discuss this ransomware or receive support, you can use our dedicated help topic: Satan Ransomware Help & Support Topic. ### Associated Satan Ransomware Files: ``` HELP_DECRYPT_FILES.html Network Communication: https://ejmv6pxsuwqrofa3.onion.to https://satan6dll23napb5.onion.to https://satan6dll23napb5.onion.cab http://satan6dll23napb5.onion.tor2web.org satan6dll23napb5.onion Hashes: SHA256: c04836696d715c544382713eebf468aeff73c15616e1cd8248ca8c4c7e931505 Related Articles: ``` [Indian airline SpiceJet's flights impacted by ransomware attack](https://www.bleepingcomputer.com/news/security/indian-airline-spicejets-flights-impacted-by-ransomware-attack/) [US Senate: Govt’s ransomware fight hindered by limited reporting](https://www.bleepingcomputer.com/news/security/us-senate-govt-s-ransomware-fight-hindered-by-limited-reporting/) [New RansomHouse group sets up extortion market, adds first victims](https://www.bleepingcomputer.com/news/security/new-ransomhouse-group-sets-up-extortion-market-adds-first-victims/) [Ransomware attack exposes data of 500,000 Chicago students](https://www.bleepingcomputer.com/news/security/ransomware-attack-exposes-data-of-500-000-chicago-students/) [The Week in Ransomware - May 20th 2022 - Another one bites the dust](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-20th-2022-another-one-bites-the-dust/) [RaaS](https://www.bleepingcomputer.com/tag/raas/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Satan](https://www.bleepingcomputer.com/tag/satan/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/someones-assembling-ragebot-botnet-using-self-propagating-windows-worm/) [Next Article](https://www.bleepingcomputer.com/news/microsoft/windows-10-insider-build-15014-can-auto-delete-temp-and-old-recycle-bin-files/) ### Comments ----- [MihailProg - 5 years ago](https://www.bleepingcomputer.com/forums/u/1035311/mihailprog/) Looks cool, it's well made and it's a good idea. I hope this works out for them and they make a lot of money. [Almarma - 5 years ago](https://www.bleepingcomputer.com/forums/u/983190/almarma/) "Looks cool, it's well made and it's a good idea. I hope this works out for them and they make a lot of money." You must be kidding, right? Even more ransomware? No, thanks. And I wish you become a victim yourself, so we can see if you find it that funny afterwards ¬¬ [mikeloeven - 5 years ago](https://www.bleepingcomputer.com/forums/u/671459/mikeloeven/) Its really sad that ransomware has become such an effective tool for criminals considering that its super easy to defeat. all you need is an external hot swap bay and a schedule to rotate out your backup drives so you always have a up to date copy of your drive images offline heck even the most computer illiterate person can subscribe to and configure cloud storage through most commercially available backup software. ----- [whyder - 5 years ago](https://www.bleepingcomputer.com/forums/u/1042183/whyder/) We got hit and paid the ransom. The decrypter does nothing. Doesn't decrypt anything. Do not pay [BitCoinMember - 4 years ago](https://www.bleepingcomputer.com/forums/u/1069622/bitcoinmember/) Kann ich BItte einen Decrypter für die *stn Dateien bekommen. Bräuchte dringend Hilfe [Post a Comment Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----