Malware News Satana Ransomware Encrypts Your Boot Record and Prevents Your PC from Starting

[Exterminator]

Crooks are working on a new brand of ransomware that messes with your master boot record (MBR), just like Petya did last March.

Called Satana ("Satan" in a few Romance languages), this ransomware is a mix between classic ransomware and Petya.

Satana works by encrypting your files using the same methods other ransomware families use. For each encrypted file, Satana prepends the crook's email address to each file like so: "email@domain.com____filename.extension"

Satana then encrypts the MBR and replaces with its own. The first time when a user reboots his computer, Satana's MBR boot code will load and the computer won't start, showing Satana's ransom note.

Paying the ransom won't always help
Security researcher hasherezade from Malwarebytes says it may be possible to recover the original MBR, but this won't necessarily retrieve the rest of the encrypted files. Recovering MBR records via Windows' cumbersome command-line interface is something that very few people are able to properly follow through, so even this procedure isn't 100% sure to help users regain access to their PC.

The encryption algorithm used on the rest of the files is very powerful and can't be brute-forced, leaving the files locked unless the user decides to pay the ransom, something which hasherezade doesn't advise.

"[E]ven victims who pay may not get their files back if they (or the C&C) went offline when encryption happened," she writes.

Satana is a work-in-progress
According to the Malwarebytes analyst, the ransomware looks like a work-in-progress, as its developers are still tinkering with its code, which also contains a lot of bugs, so this might not be the last time when we hear about Satana.

After Petya appeared in March, a month later, security researchers found a way to recover files locked with this threat.

A month after that, in May, crooks switched to delivering Petya bundled with a second ransomware called Mischa, which was a regular ransomware that locked files, while Petya locked the MBR. Satana seems an evolution of this latter idea

.

 

[jamescv7]

Recycle symptoms of threats but deadly for a person when encountered it.

Backup is still a concept for many people which they take it for granted without applying to their system regularly.

 

[Tinm]

Is formatting the active partition and reinstalling Windows solves the problem ?

 

[jamescv7]

@Tinm: MBR must be repair and fix the modified code first, which will done easily through recovery environment.

 

[Kalipso]

They say that it is not difficult to repair Master Boot Record if you have Windows Boot Install CD. No matter if it is Windows7, 8, or 10. The process of MBR repair takes 15-20 Minutes. Still I can not understand how, for example, a person who has a Netbook can repair his or her MBR on a Netbook? There is no CD-Drive and they have no Windows CD. Where can a person download Windows installer to his USB Stick? I am not sure it will function.

 

[TwinHeadedEagle]

@Tinm: MBR must be repair and fix the modified code first, which will done easily through recovery environment.

MBR is always located at the first sector of your hard drive. If you format your partition, it will also overwrite MBR with default one.