New Saturn Ransomware Actively Infecting Victims

Faybert

Faybert

Level 24
Thread author
Verified
Top Poster
Well-known
Jan 8, 2017
1,320
A new ransomware was discovered this week by MalwareHunterTeam called Saturn. This ransomware will encrypt the files on a computer and then append the .saturn extension to the file's name. The Saturn Ransomware is being actively distributed, but at this time it is unknown what distribution methods are being used.

Unfortunately, this ransomware is not decryptable at this time, but it is currently being researched for weaknesses. In the mean time, if you wish to discuss or receive help, you can use our dedicated Saturn Ransomware Help & Support topic.

How Saturn Ransomware encrypts a computer
When Saturn Ransomware is installed it will check to see if the victim is running in a virtual environment. If it detects that it is running under a virtual machine, it will exit the process.

If it does not detect a virtual machine, Saturn will execute the following commands to delete shadow volume copies, disable Windows startup repair, and to clear the Windows backup catalog.

cmd.exe /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

After those commands are executed, it will scan the computer for certain file types and encrypt them. The files types encrypted by Saturn Ransomware are:

txt, psd, dwg, pptx, pptm, ppt, pps, 602, csv, docm, docp, msg, pages, wpd, wps, text, dif, odg, 123, xls, doc, xlsx, xlm, xlsb, xlsm, docx, rtf, xml, odt, pdf, cdr, 1cd, sqlite, wav, mp3, wma, ogg, aif, iff, m3u, m4a, mid, mpa, obj, max, 3dm, 3ds, dbf, accdb, sql, pdb, mdb, wsf, apk, com, gadget, torrent, jpg, jpeg, tiff, tif, png, bmp, svg, mp4, mov, gif, avi, wmv, sfk, ico, zip, rar, tar, backup, bak, ms11, ms11 (Security copy), veg, pproj, prproj, ps1, json, php, cpp, asm, bat, vbs, class, java, jar, asp, lib, pas, cgm, nef, crt, csr, p12, pem, vmx, vmdk, vdi, qcow2, vbox, wallet, dat, cfg, config
When encrypting files it will append the .saturn extension to the encrypted file's name. For example, a file called test.jpg would be encrypted and then renamed to test.jpg.saturn.
...................
...................
Click to expand...
 
  • Like
Reactions: harlan4096, Rengar, Captain Awesome and 4 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
Malware News Surge in Magniber ransomware attacks impact home users worldwide
Replies
2
Views
2,488
Security News
Jonny Quest
Jonny Quest
Gandalf_The_Grey
    • +Reputation
    • Like
    • Thanks
Malware News Ransomware gang targets IT workers with new SharpRhino malware
Replies
0
Views
2,222
Security News
Gandalf_The_Grey
Gandalf_The_Grey
[correlate]
    • Like
    • Wow
Akira ransomware targets Cisco VPNs to breach organizations
Replies
0
Views
1,313
News Archive
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top