# DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks **[bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/](https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/)** Catalin Cimpanu By [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) June 14, 2018 01:40 PM 0 The authors of the Satan ransomware have rebranded their "product" and they now go by [the name of DBGer ransomware, according to security researcher MalwareHunter, who](https://twitter.com/malwrhunterteam) spotted this new version earlier today. The change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity [analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-](https://github.com/gentilkiwi/mimikatz) source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan's modus operandi. ## History of Satan ransomware [The Satan ransomware launched in January 2017 as a Ransomware-as-a-Service (RaaS)](https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/) portal, allowing anyone to register and create custom versions of the Satan ransomware. ----- First versions were unsophisticated, as most new ransomware variants tend to be. For a long time, the Satan crew rented its ransomware to other crooks, who then distributed it to victims, mostly via email spam (malspam) campaigns. With time, the ransomware gained a lot of reputation and clients on the criminal underground. The group behind the LockCrypt ransomware started as Satan RaaS customers before developing their own strain. Further, other ransomware devs took [inspiration from the Satan code, such as the Iron ransomware group.](https://bartblaze.blogspot.com/2018/04/maktub-ransomware-possibly-rebranded-as.html) ## Satan devs learn from the WannaCry outbreak But the Satan crew didn't stand idly either. As the ransomware scene evolved in 2017, they evolved as well. Changes in the ransomware scene of 2017 included self-spreading mechanisms (seen in the three ransomware outbreaks of last year) and a move to infecting larger networks instead of home users (because of larger payouts and payout rate). Around November 2017, Satan devs started their plans of updating the ransomware to better fit these trends. [The first step they took was to incorporate a version of the EternalBlue SMB exploit. The](https://en.wikipedia.org/wiki/EternalBlue) addition of this exploit meant that after Satan infected a computer, the ransomware would use EternalBlue to scan the local network for computers with outdated SMB services and infect them as well, maximizing an attack's impact. This mechanism has been previously analyzed by security researcher Bart Parys in a blog post [here.](https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html) Other ransomware strains that used EternalBlue included WannaCry, NotPetya, and [UIWIX,](https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-eternalblue-smb-exploit-to-infect-victims/) and all used it in a similar way. ## Satan ransomware also adds exploits ----- This focus on bolstering a lateral movement system continued in 2018, as the ransomware received another update to its lateral movement mechanism at the start of May. [AlienVault experts noticed that new versions of Satan would also scan local networks and](https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread) attempt to infect other computers using one of the below exploits/methods: JBoss CVE-2017-12149 Weblogic CVE-2017-10271 Tomcat web application brute forcing ## DBGer adds Mimikatz The new (Satan) DBGer ransomware strain continues this focus on lateral movement. The new version spotted today works by dropping Mimikatz, dumping passwords for networked computers, and using these credentials to access and infect those devices as well. The development path we see taken by the Satan/DBGer crew is what we can expect in the coming months from most ransomware strains. Cybercrime gangs have understood by now that there is more money to be made from coinmining campaigns rather than ransomware. The groups who are still active on the ransomware scene will need to improve their code to maximize profits and adding selfspreading and lateral movement mechanisms is the simplest way to do that. This is because self-spreading and lateral movement features in ransomware allow a crook the opportunity to infect and receive multiple ransom payments just by fooling one absentminded employee to open a boobytrapped file. ### IOCs: **Sha256: 1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd** **Modification to file extensions:** image.png -- > [dbger@protonmail.com]image.png.dbger **Ransom note:** __How_to_decrypt_files.txt_ ----- ``` Some files have been encrypted Please send ( 1 ) bitcoins to my wallet address If you paid, send the machine code to my email I will give you the key If there is no payment within three days, we will no longer support decryption If you exceed the payment time, your data will be open to the public download We support decrypting the test file. Send three small than 3 MB files to the email address BTC Wallet : [redacted] Email: dbger@protonmail.com Your HardwareID: ``` [DBGer](https://www.bleepingcomputer.com/tag/dbger/) [ETERNALBLUE](https://www.bleepingcomputer.com/tag/eternalblue/) [Mimikatz](https://www.bleepingcomputer.com/tag/mimikatz/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Satan](https://www.bleepingcomputer.com/tag/satan/) [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May ----- 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page. [Previous Article](https://www.bleepingcomputer.com/news/legal/dark-web-drug-vendor-pleads-guilty-after-feds-traced-his-bitcoin-transactions/) [Next Article](https://www.bleepingcomputer.com/news/microsoft/microsofts-swiftkey-is-becoming-the-new-touch-keyboard-in-windows-10/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----