New File Encryption Ransomware Strain

Here at BECA, we are always focused on keeping you updated and secure in this crazy world of hackers, ransomware, malware, and viruses. Every second, there are new strands of dangerous malware being developed. While we can’t warn you about every single one, we strive to always keep you updated on the major dangers that threaten your business. Want to know how you can keep your organization safe? Contact BECA to learn how we help our clients stay safe.


[ALERT] There Is A Nasty New MBR & File Encryption Ransomware Strain
There is a new ransomware strain called “Satana” (the reference is clear, just take the last “a” off) which is a blend between classic file encryption malware and the Petya strain which locks the Master Boot Record (MBR).

This looks like a Petya copycat, but for each encrypted file, Satana prepends their email address to each file like this: “email@domain.com_filename.extension“.

Satana then encrypts the MBR and replaces it with its own. The first time when a user reboots their workstation, Satana’s MBR boot code will load and the only thing the machine will show is Satana’s ransom note in red on black. Here’s what the message looks like as a text file:

satana-ransomware-notepad

Security researcher Hasherezade posted the initial discovery at Malwarebytes, and stated it might be possible to recover the original MBR. Recovering MBR records via Windows’ cumbersome command-line interface is not for the weak of heart, but doing that does not mean you can decrypt the files though.

According to the Hasherazade, the code looks like a work-in-progress, as its developers are still adding “new features”. Stay tuned, this puppy is going to cause some damage when they start pumping it out.

Want to know how you can keep your organization safe? Contact BECA to learn how we help our clients stay safe.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s