Petya- and Mischa-inspired ransomware, Satana (Satan) is the most recent discovery in terms of malware. Still under development, Satana is an aggressive ransomware for Windows that encrypts the computer’s master boot record (MBR) and prevents it from starting.
Satana seems to be a ransomware at an early stage of development. It displays some interesting features, but also contains flaws, researchers said. The low-level attack code looks unfinished – but authors show an interest in developing the product in this direction and we can expect that in the next version it will be improved. We don’t expect this malware is going to be distributed on a large scale yet – it is rather a work in progress, but what we observed now is likely going to be the base for additional threats down the line.
Satana resembles classic ransomware families in terms of how it works, but it is only the second to target the MBR. The MBR code tells the computer how to start so, when blocked, it doesn’t know which disk partitions are where.
Unlike Petya, which encrypted the NTFS MFT (Master File Table), Satana is easier to fix as it only replaces the MBR with its own version. The ransomware informs on-the-go on all the processes, including the advancement in encryption.
After the device is infected, the ransom notice appears on the screen demanding payment of 0.5 bitcoin (approximately US$340). Unless tech-savvy, it might be hard for users to use the recovery options and restore the system.
Because the computer can’t start Windows, payment has to be made from a different clean device. However, researchers warn that, even if users pay the ransom, they might not regain access to their system.