Sage and Satan Ransomware, Double Trouble

A spam campaign has started spreading Sage ransomware, while a ransomware service known as Satan allows users to customize distribution.

A spam campaign known for spreading the Cerber ransomware has changed its payload just as a new ransomware-as-a-service offering popped up.

While the two happenings aren’t related, they are an indicator of the relentless development and investment continuing around ransomware, and the ongoing challenges defenders face.

Traffic from the spam campaign, spotted on Friday by SANS Internet Storm Center handler Brad Duncan, showed that messages had moved away from Cerber and were now dropping a ransomware called Sage. The emails arrive without a subject line or message text; the malware is buried in two .zip archives attached to the email. Once the victim burrows through the double .zip, they’re greeted with either a Word doc hosting a malicious macro, or a .js file. The macro or the .js file downloads the ransomware to the infected machine.

Sage, Duncan said in a post published on Friday, is a variant of CryLocker ransomware. It was found in September by a researcher known as MalwareHunterTeam who said the malware was spreading in emails from a phony government agency called the Central Security Treatment Organization. A .cry extension was added to encrypted files, and the attacker was looking for 1.1 Bitcoin. System information from the compromised system is also sent to the attacker over UDP.

Sage, meanwhile, wants $2,000 in Bitcoin and appends .sage to encrypted files.

Like CryLocker, Duncan said Sage communicates over UDP, but its traffic is encrypted, unlike CryLocker traffic.

“When the callback domains for Sage didn’t resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses,” Duncan wrote in a post published Saturday. “I think this could be UDP-based peer-to-peer (P2P) traffic, and it appears to be somehow encoded or encrypted.”

Duncan published a number of indicators of compromise, including file names, Tor domains hosting decryption instructions, hashes, and domains from where the malware is fetched.

“I’m not sure how widely-distributed Sage ransomware is.  I’ve only seen it from this one malspam campaign, and I’ve only seen it one day so far.  I’m also not sure how effective this particular campaign is.  It seems these emails can easily be blocked, so few end users may have actually seen Sage 2.0,” Duncan said. “Still, Sage is another name in the wide variety of existing ransomware families.  This illustrates how profitable ransomware remains for cyber criminals.”

Also uncovered was a new ransomware service called Satan allows users to create their own distribution model and terms for spreading the Satan ransomware.

A researcher known as Xylitol, according to BleepingComputer, said the ransomware service allows criminals to create their own custom versions of the Satan ransomware and how it will be distributed. The service providers requires only that the criminals register for the service and demands 30 percent of any ransom payments made.

An ad marketing the service on a black market site touts Satan as a free kit that allows the user to customize the malware, specify the ransom value, set a multiplier after so many days of non-payment, and write a private note, all in under a minute if they so wish. The executable is lightweight, checking in at 170 kb, the ad says.

The service also offers a translation service for languages other than English, a page that walks the user through creating a dropper, and creating code for Word macros or CHM installers.

The ransomware, meanwhile, is also capable of detecting whether it’s executing in a virtual machine, and will terminate if it does so. It also has mechanisms for persistence, and will target a long list of file extensions that could be present on the victim’s hard drive. Encrypted files will have a .stn extension.

So far, no decryptors exist for either ransomware family.

“Typically a RaaS leaves it up to the affiliate to figure out how to distribute,” said Lawrence Abrams, a researcher with BleepingComputer. “This is the first time I have seen a RaaS developer actually offer help with distribution ideas.”

Suggested articles

Necurs-Based DDE Attacks Now Spreading Locky Ransomware

Researchers have spotted Locky ransomware infections emanating from the Necurs botnet via Word attachments using a DDE technique that Microsoft says is an Office feature and does not merit a security patch.

Discussion

  • Gman on

    Very well written who and what antivirus/Malware application is available for these and crypto and the other nasty ones is there a containment of this definition
  • Anonymous on

    "The ransomware, meanwhle, is also capable of detecting whether it's executing in a virtual machine , and will terminate if it does so." Well isn't that fucking great.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.