Fortinet found new Satan ransomware variants with more evil tricks

PyLocky ransomware decryption

FortiGuard Lab recently discovered a new variant of Satan ransomware that uses more vulnerabilities to infect computer machines. Satan ransomware first appeared in January 2017. The goal of Satan ransomware is Linux and Windows machines, which attempt to exploit a large number of vulnerabilities and spread through public and external networks. Ransomware was originally spread through private and public networks and still uses EternalBlue exploit (from the NSA) and the open-source application Mimikatz.

PyLocky ransomware decryption

The original communicators were conn.exe on Windows and conn32/64 on Linux, which could be spread over private and public networks. In previous attacks, the Linux component (conn32/64) was only propagated through non-Class A type private networks. However, it has recently been updated to support the spread on private and public networks.

Satan ransomware exploits many known vulnerabilities, including:

  • JBoss default configuration vulnerability (CVE-2010-0738)
  • Tomcat arbitrary file upload vulnerability (CVE-2017-12615
  • WebLogic arbitrary file upload vulnerability (CVE-2018-2894)
  • WebLogic WLS component vulnerability (CVE-2017-10271)
  • Windows SMB remote code execution vulnerability (MS17-010)
  • Spring Data Commons remote code execution vulnerability (CVE-2018-1273)

The recent variants of Satan ransomware in Windows and Linux that experts have observed include several web application remote code execution vulnerabilities:

  • Spring Data REST Patch Request (CVE-2017-8046)
  • ElasticSearch (CVE-2015-1427)
  • ThinkPHP 5.X Remote Code Execution (no CVE)

The attack is implemented by performing an IP address traversal and scanning and executing the entire vulnerability list on each IP address encountered, along with a corresponding hard-coded port list. To increase efficiency, it also implements multithreading, which generates separate threads for each target IP and port propagation attempt.

For statistical purposes, Satan ransomware scans applications like Drupal, XML-RPC, Adobe, etc., and notifies the server when the application exists.  Fortinet concluded that Satan ransomware is becoming more aggressive and has adopted RaaS (Ransomware-as-a-Service scheme), and more hackers will be able to use it, which means more attacks.