The threat actors behind the Satan, DBGer and Lucky ransomware and likely Iron ransomware, is back with a new piece of malware named ‘5ss5c’.
The Bart Blaze believes that the threat actors have been working on the 5ss5c ransomware since at least November 2019, and likely the malicious code is still under development. Experts, in fact, discovered a second spreader module, packed with Enigma VirtualBox, within the code, that is named poc.exe.
“There’s quite some curiosities that indicate 5ss5c is still in active development and stems from Satan ransomware.” reads the analysis published by Blaze.
“This suggest they may be experimenting (
The expert discovered several artifacts that suggest 5ss5c stems from Satan ransomware, he also pointed out that updates for Satan stopped in August while 5ss5c appeared
Like Satan, 5ss5c
The file poc.exe is dropped to C:\ProgramData\poc.exe, and runs the command:
cd /D C:\ProgramData&star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload C:\ProgramData\down64.dll –TargetIp
that is similar to the command executed by the Satan ransomware:
cmd /c cd /D C:\Users\Alluse~1\&blue.exe –TargetIp & star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload down64.dll –TargetIp
Both Satan and 5ss5c have an exclusion list of files that are not encrypted by the malicious codes, the list of the new ransomware include additional files like the one associated with Qih00 360 security solutions (i.e. 360download and 360safe files).
The 5ss5c ransomware drops a ransom note in Chinese that demands the a ransom of 1
The ransom demand will double after 48 hours. The ransom note doesn’t include
“Whoever’s behind the development of Satan, DBGer, Lucky and likely Iron ransomware, is back in business with the 5ss5c ransomware, and it appears to be in active development – and is trying to increase (or perhaps focus?) its targeting and spread of the ransomware.” concludes the expert.
The analysis published by Blaze includes the indicators of compromise (IOCs).
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.