Once infected, Saturn ransomware executes commands to disable Windows repair and clear Windows backup catalog. It encrypts the files and adds Saturn to their name. The ransomware also leaves a ransom note in each folder, which contains a link to the payment site.
The authors of the newly-discovered Saturn ransomware are allowing anyone to become a ransomware distributor for free via a newly launched Ransomware-as-a-Service (RaaS) affiliate program.
The Source of delivery is unknown and it is still under research.
File Name: SATURN_RANSOM.exe
File Type: PE 32 Bit Image
Advance Static Analysis
Tools Used: IDA Pro, Dependency Walker.
Once executed, the Ransomware checks for the Virtual Box software to find out whether it is being analyzed inside a virtual machine and if found, it exits from the process.
It uses Windows Registry to check for specific keys that are related to the Virtual Box. It calls “RegOpenKeyExA” windows API to check the above mentioned Registry Keys.
Additionally it also checks for Sandboxie application, to find out whether it is being executed inside a Sandbox. As highlighted above the Ransomware checks for DLL “sbieDll.dll” which comes with Sandboxie software.
The picture [From Internet] below gives us the information about the Sandboxie application related to this DLL.
The Ransomware then launches cmd.exe and might ping the above mentioned IP Address.
The Ransomware again uses cmd.exe to launch vssadmin.exe & wmic.exe to delete all the Shadow copies stored in the system in order to prevent the user from taking the backup after encrypting the system.
Then it uses bcdedit.exe [Boot Configuration Editor] which disables windows error recovery on startup as highlighted above.
Some of the Important artifacts of Saturn Ransomware which was obtained by the Advance Static Analysis were mentioned above. Now I will continue with my Dynamic Analysis.
VMware [Virtual Machine]
Win 7 x64
Tools Used: Process Monitor, Process Explorer, Regshot, TrackFolderChanges, Wireshark.
Snapshot 6 below highlights the Saturn Ransomware which is executed and running in Process. As explained in the Static Analysis, the sample launches cmd, vssadmin, wmic.
Command Line of the cmd.exe
Command Line of the Vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Command Line of the wmic.exe
wmic.exe shadowcopy delete
Looking through the command line of the Process gives us a good info about the functionality of the process.
Saturn Ransomware creates a shortcut file [LNK] in the startup folder in order to execute the sample always after a reboot, which targets the original malware file.
Encryption / Modification style
This Ransomware Sample encrypts specific files in the system. As highlighted above it first encrypts and adds an extension “.SGRd” to the text file. Later it again renames the encrypted file back to “.txt” extension. Finally it renames the file by adding “.saturn” in the filename.
Malware authors would have chosen this method of encryption / Modification of the files in order to bypass the behavior based Ransomware Detectors which would detect new Ransomwares with their modification style.
Once Encrypted the files in victim system, it creates three files in all the directories in which it has encrypted. They are files which provide instruction on how to decrypt the files back. It is also creating a key file in all the directories.
TOR website for Payment & Decryption
Bitcoin Address for Payment
Currently they are demanding 300$ for the Decryption process as shown above. They have given a warning that the price will raise up after one week.
Ransomwares are evolving day by day. We should follow the best practices while using the internet or handling spam emails. Kindly be aware and share the knowledge as much as possible.