image
A ransomware with the un-snappy moniker of “5ss5c” has emerged on the scene and appears to be in active development. According to independent researcher Bart Blaze, the malware is the successor to the Satan ransomware, and its authors are still experimenting with focused targeting (China, for now) and features. Blaze said in a blog posted Tuesday that 5ss5c and Satan share many code characteristics. Satan, he noted, disappeared from the ransomware scene a few months ago, right after adding an EternalBlue exploit to its bag of tricks. 5ss5c appears to be picking up where Satan left off. “The group has been working on new ransomware – 5ss5c – since at least November 2019,” Blaze noted. “There are several Satan ransomware artefacts [and shared tactics, techniques and procedures (TTPs)]. One of these is, for example, the use of multiple packers to protect their droppers and payloads.” He said that like Satan before it, 5ss5c is a second-stage malware that is downloaded by a dropper. That same dropper also downloads the EternalBlue exploit (i.e., a spreader package); Mimikatz (the Windows password stealer) plus a second credential stealer; and the ransomware itself. It also creates logs, noting whether SMB shares are available (the target of the EternalBlue exploit); and whether the downloads were successful or not. But 5ss5c advances the previous Satan approach in a few different ways. For one, the dropper provides hardcoded credentials for the command-and-control (C2) server…

Source