Saturn Ransomware

By -


Saturn Ransomware

 
 
A Brief Overview
A new Ransomware was discovered this week by MalwareHunter Team called Saturn. Once your machine get infected with this, it encrypts all your file and append .saturn extension to the file’s name (ex: original file name: test.png after ransomware attack file converted into test.png.saturn).
This ransomware is being actively distributed and now it is unknown what distribution methods are being used. Method could be any like directly send it as an attachment in message, insert as a hyperlink to the malicious attacker owned web portal once click can redirects to hacker-controlled sites, infected payloads or other instances that can lead to a Saturn Virus infection.
Impact of Saturn Virus:
·         Saturn file virus infects the web browsers and modify settings associated with their homepage, default search engine and new tab URL.
·         Further it inserts various kind of irrelevant ads and pop ups which causes troubles in web surfing to them.
·         Moreover, it encrypts the files and makes them inaccessible for users.
·         Later users are asked to pay ransom amount in Bitcoins to have the decryption key.

How Saturn Ransomware encrypts a Machine’s Data
Once the Saturn Ransomware Installed on your computer it checks weather the victim is running in a virtual environment or not. If it will identify the victim running under virtual machine, it will exit the process. If it doesn’t detect the virtual machine, Saturn executes the following command.
1.      Delete shadow copies
2.      Disable windows start-up repair
3.      Clear the windows backup catalog
After executing the above commands, it scan the system for certain file types as below and encrypt them.
While encrypting Files it will append .saturn extension to the encrypted file’s name as shown below:
While Encrypting the system, Saturn Ransomware drop a ransom notes named #Decrypt_MY_FILES#.html and #Decrypt_MY_FILES#.txt and a key file name #key-[id].key in each folder. This key file is used to login into the TOR ransom site, and a link to the TOR payment site at http://su34pwhpcafeiztt.com.onion.


A Screen of Ransomware Note
The ransomware also drop a #DECRYPT_MY_FILES#.vbs file that causes speech to come from the infected computer. Finally, it sets your Windows desktop background to #DECRYPT_MY_FILES.BMP.
When a user visits the TOR site, they will be prompted to upload the key file before accessing their personal portal.
Once the key is uploaded, it will open the Saturn Decryptor page for the victim and display more detailed instructions. These instructions will contain the amount of bitcoins to send as a ransom and the bitcoin address that it should be sent to. Currently, the ransom amount is set to $300 USD and might increase as time fly.

Precaution to secure from Saturn Ransomware
·         Always have tested backup of data
·         Do not expose remote desktop services, instead use VPN to get access of Remote Server
·   Use Security Software like Anti-malware (http://bestsecuritysearch.com/download-install-spyhunter-anti-malware-tool/ )
·         Do not open any attachment without confirming and scan each attachment before downloading
·         Keep upgrading or updating all software/framework along with latest patches and hotfixes.
·         Don’t use weak and repeated password. Use strong complex password which is hard to crack.
·         Periodic scan of all servers, workstations and other devices within the infrastructure.

References:
·        https://www.pcmalwaresecurity.com/ransomware/remove-saturn-ransomware-virus-completely-windows-pc/
·         https://www.2-spyware.com/remove-saturn-ransomware.html
·         https://en.wikipedia.org/wiki/Ransomware

Comments

  1. networkguide24 November 2022 at 22:41

    I was looking at some of your posts on this website and I conceive this web site is really instructive! Keep putting up..External Network Penetration Testing

    ReplyDelete
  2. Technical SEO27 November 2023 at 10:40

    such a fantastic article of blog commenting sites list. Now am being a regular reader of your blogs. Thank you so much for wonderful collection, keep writing.

    Digital Era

    ReplyDelete

Post a Comment

Popular posts from this blog

Payment Gateway Security Testing Checklist

By -
Below given are some of the possible testing scenarios, which may prove to be useful in performing payment gateway testing. Whether all the types of payment options available through the payment gateway are selectable or not.  Whether each payment option is showing its specification and requirements after being selected by the user.What happens, after the failure of the payment process or if the session ends.  To check, if the payment gateway is allowing to enter data in the blank fields of the card number, card name, expiry date and CVV number.  To examine, how the payment gateway system behaves or responds, after leaving one or more fields, blank such as leaving CVV number field, blank, etc.  Whether the user is being redirected to the application page, after the successful completion of the payment process.  Applying language change, during the payment process. Checking successful integration of
Read more

Network Security VAPT Checklist

By -
Network Security VAPT Checklist Lets talk about the scope first. If you are given a 500 machines to perform VAPT, then here is your scope. Single machine can have 65535 ports open. Any single port can deploy any service software from the world. For example FTP can be run on smartftp, pureftpd etc. Any single FTP software version (for example pureftpd 1.3.3a) can have number of vulnerabilities available. So if you multiply all of these, then it is impossible for any auditor to go ahead and probe all ports manually and find services manually. Even if he/she is able to do it, it is impossible to check all vulnerabilities that are pertaining to a single port of a single machine. Hence we have to rely on scanners such as nexpose, nessus, openvas, coreimpact etc. Here are some quick tools and test cases that one can perform on commonly found ports in the network pentest. Ø   Identify live hosts ·          Ping ·          Hping ·          Nmap Ø   Identify OS type ·
Read more

How to dump Database using Sqlmap

By -
Image
Database Dump using SQLMap Find out the parameter of application that is vulnerable to SQL injection . Vulnerable Parameter  : “User ID” Enter ‘ and then click on Submit button. will get the SQL Error. Now Intercept the Request in burp. Copy the incepted request and save it in sqlmap installed directory. Open CMD and go to the directory where SQL map is installed (C:/sqlmap) and type sqlmap.py –r sqlinjection (filename) –-dbs and then enter. (dbs is used for dump database name). Then type Y and enter. Type N and enter, it display all the database . Now we have to find out the table in database. Type sqlmap.py –r sqlinjection –D dvwa(database name) –tables.     In the above snap we got the table name in dvwa database. Then we have find out the column name. type sqlmap.py –r sqlinjection –d dvwa –T users –column. Now we are going to dump the userid and password from column. Type sqlmap.py –r sqlinje
Read more