A new ransomware-as-a-service (RaaS) called Satan is attracting amateur computer criminals on the dark web with free licenses.
Once a user creates an account for Satan and logs in, they can use the provided affiliate console to customize their ransomware campaign. The criminal can use the “Malwares” page, for instance, to specify Satan’s ransom amount, whereas they can visit the “Droppers” tab to configure the ransomware’s distribution settings. All the while, Satan’s author maintains full control over how much each affiliate generates from their attack campaigns.
Lawrence Abrams of Bleeping Computer clarifies this point:
“For this service, the RaaS developer takes a 30% cut of any payments that are made by victims. According to the advertisement for the Satan RaaS, the developer will reduce their cut depending on the volume of payments received by an affiliate.”
An affiliate can track how much they make from their ransomware installations on Satan’s “Account” page.
Whenever the RaaS successfully installs itself onto a victim’s computer, it first checks to see if it’s running on a virtual machine. If it is, Satan terminates. If it isn’t, the ransomware targets files with 361 different filenames for encryption.
Not much is known about the ransomware’s encryption algorithm other than the fact that it scrambles a file’s name and appends the “.stn” to each affected file. Only then does it create and save its ransom note, which directs victims to a Tor’s payment site.
Satan, which was originally discovered by a security researcher named Xylitol, joins Stampado and other RaaS samples in making ransomware accessible to people who lack technical expertise. No doubt we’ll see more platforms such as these emerge in the coming weeks and months. With that in mind, it’s important that users focus on preventing a ransomware infection and back up their critical information on a regular basis.