Ransomware is a well-known problem. Its increasing popularity as a class of malware is well documented, but to butcher a phrase – one bad turn deserves another.
Previously, crafting malware was the domain of skilled and malicious programmers, but as Cylance has reported previously, enterprising bad actors have now established new platforms that allow aspiring cybercriminals with little to no technical expertise to launch their own attacks. This is known as ransomware-as-a-service (RaaS), and it represents an opportunity for the number of cyberattacks to increase greatly, as the barrier to entry is not merely lowered, but eliminated.
VIDEO: CylancePROTECT vs. Satan RaaS
Cylance researchers dug into Satan RaaS and discovered a chilling feature – pay by commission.
“Ransomware is changing how malware authors and cybercriminals cash in on their efforts. Cryptocurrency has enabled ransomware authors to charge nothing up front and only take a cut of successful ransoms. As you can imagine, this will greatly increase the distribution of ransomware. We look at a recently discovered ransomware-as-a-service known as Satan to show how easy it is for aspiring cybercriminals to access a complex ransomware.”
In his excellent write-up recently published in SC Magazine, Technology Editor Peter Stephenson noted the following about Satan RaaS:
“The ransomware is written mostly in C++, and the author has asked that you not upload to virus scanners such as VirusTotal. Of course we - and several other researchers, apparently - have and here are our results. There is a caveat, though. If an actor creates a copy of the ransomware - more on that shortly - that ransomware will have very limited anti-malware recognition until a sample gets into the wild and the A-M vendors get it into their systems.”
Here is where things get even more interesting:
“I ran a sample that I created through VirusTotal and OPSWAT Metadefender. V-T did not pick it up at all. Metadefender showed nine products that appeared to recognize it but of those four were false positives based upon the compile dates, four thought that it was Zbot and only two recognized it as Satan ransomware. The point is that this can be quite difficult to spot by your antimalware software. However, most AV vendors are writing generic detection for it. The only one I found that hit on my sample instantly, even though it was less than an hour old, was Cylance.”
If you use our endpoint protection product CylancePROTECT, you were already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can predict and prevent unknown and emerging threats.