Satan ransomware rebrands as 5ss5c
5ss5c is newly observed ransomware that has been attributed to the same threat actor that developed Satan.
5ss5c is distributed by a spreader module that uses both hardcoded credentials and the SMB EternalBlue exploit. It is accompanied by credential stealing modules including Mimikatz.
When executed, 5ss5c will stop database processes and then encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip.
The ransom note only contains instructions in Chinese, not Korean nor English like previous iterations.
Encrypted files are renamed with the email address 5ss5c@mail[.]ru at the beginning and the extension .5ss5c at the end. A ransom note in Chinese is then saved to the root directory of the C:\ drive.
| URL | http://58.221.158.90:88/car/down.txt |
| URL | http://58.221.158.90:88/car/c.dat |
| URL | http://58.221.158.90:88/car/cpt.dat |
| IP | 58.221.158.90 |
| IP | 61.186.243.2 |
| Hash | 82ed3f4eb05b76691b408512767198274e6e308e8d5230ada90611ca18af046d |
| Hash | dc3103fb21f674386b01e1122bb910a09f2226b1331dd549cbc346d8e70d02df |
| Hash | 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc |
| Hash | af041f6ac90b07927696bc61e08a31a210e265a997a62cf732f7d3f5c102f1da |
| Hash | ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c |
| Hash | e685aafc201f851a47bc926dd39fb12f4bc920f310200869ce0716c41ad92198 |
| Hash | e5bb194413170d111685da51b58d2fd60483fc7bebc70b1c6cb909ef6c6dd4a9 |
| Hash | ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f |
| Hash | ef90dcc647e50c2378122f92fba4261f6eaa24b029cfa444289198fb0203e067 |
| Hash | 47fa9c298b904d66a5eb92c67dee602198259d366ef4f078a8365beefb9fdc95 |
| Hash | 68e644aac112fe3bbf4e87858f58c75426fd5fda93f194482af1721bc47f1cd7 |
| Hash | ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18 |
| Hash | 23205bf9c36bbd56189e3f430c25db2a27eb089906b173601cd42c66a25829a7 |
| Hash | a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f |
| Hash | cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de |
| Hash | 8e348105cde49cad8bfbe0acca0da67990289e108799c88805023888ead74300 |
| Hash | ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41 |
| Hash | de3c5fc97aecb93890b5432b389e047f460b271963fe965a3f26cb1b978f0eac |
| Hash | bd291522025110f58a4493fad0395baec913bd46b1d3fa98f1f309ce3d02f179 |
| Hash | 75d543aaf9583b78de645f13e0efd8f826ff7bcf17ea680ca97a3cf9d552fc1f |
| Hash | 50e771386ae200b46a26947665fc72a2a330add348a3c75529f6883df48c2e39 |
| Hash | 0aa4b54e9671cb83433550f1d7950d3453ba8b52d8546c9f3faf115fa9baad7e |
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.