A ransomware with the un-snappy moniker of “5ss5c” has emerged on the scene and appears to be in active development. According to independent researcher Bart Blaze, the malware is the successor to the Satan ransomware, and its authors are still experimenting with focused targeting (China, for now) and features. Blaze said in a blog posted Tuesday that 5ss5c and Satan share many code characteristics. Satan, he noted, disappeared from the ransomware scene a few months ago, right after adding an EternalBlue exploit to its bag of tricks. 5ss5c appears to be picking up where Satan left off. “The group has been working on new ransomware – 5ss5c – since at least November 2019,” Blaze noted. “There are several Satan ransomware artefacts [and shared tactics, techniques and procedures (TTPs)]. One of these is, for example, the use of multiple packers to protect their droppers and payloads.” He said that like Satan before it, 5ss5c is a second-stage malware that is downloaded by a dropper. That same dropper also downloads the EternalBlue exploit (i.e., a spreader package); Mimikatz (the Windows password stealer) plus a second credential stealer; and the ransomware itself. It also creates logs, noting whether SMB shares are available (the target of the EternalBlue exploit); and whether the downloads were successful or not. But 5ss5c advances the previous Satan approach in a few different ways. For one, the dropper provides hardcoded credentials for the command-and-control (C2) server…
govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2020-01-16 13:44:002020-01-16 13:44:00Satan Ransomware Reborn to Torment Businesses
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com