A ransomware with the un-snappy moniker of “5ss5c” has emerged on the scene and appears to be in active development. According to independent researcher Bart Blaze, the malware is the successor to the Satan ransomware, and its authors are still experimenting with focused targeting (China, for now) and features.
Blaze said in a blog posted Tuesday that 5ss5c and Satan share many code characteristics. Satan, he noted, disappeared from the ransomware mileu a few months ago, right after adding an EternalBlue exploit to its bag of tricks. 5ss5c appears to be picking up where Satan left off.
“The group has been working on new ransomware – 5ss5c – since at least November 2019,” Blaze noted. “There are several Satan ransomware artefacts [and shared tactics, techniques and procedures (TTPs)]. One of these is, for example, the use of multiple packers to protect their droppers and payloads.”
He said that like Satan before it, 5ss5c is a second-stage malware that is downloaded by a dropper. That same dropper also downloads the EternalBlue exploit (i.e., a spreader package); Mimikatz (the Windows password stealer) plus a second credential stealer; and the ransomware itself. It also creates logs, noting whether SMB shares are available (the target of the EternalBlue exploit); and whether the downloads were successful or not.
But 5ss5c advances the previous Satan approach in a few different ways. For one, the dropper provides hardcoded credentials for the command-and-control (C2) server for the ransomware to use to connect to an SQL database with the xp_cmdshell command. Also, the operators are using three different packers to obfuscate the code: MPRESS, Enigma and Enigma VirtualBox. The latter is used for packing an additional spreader module, named poc.exe – the name of which could stand for “proof of concept” and indicate that the ransomware authors are still experimenting, Blaze said.
There’s an additional enhancement when it comes to what the ransomware encrypts. Like Satan, it has an “exclusion list” of certain file types and folders that will remain unencrypted during the infection, including folders belonging to China-based security company Qihoo 360. However, it has a new list of what it targets, including files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip.
“This extension list is not like before, and includes mostly documents, archives, database files and VMware-related extensions such as vmdk,” Blaze said.
5ss5c also has a different ransom demand M.O.: It creates a Chinese-language ransomware note on the C:\ drive called “_How to decrypt my file_.txt,” which reads, “Some files have been encrypted. If you want to retrieve the encrypted file, send (1) Bitcoins to my wallet. If payment is not completed within 48 hours from the start of encryption, the amount of decryption will double. If you have other questions, you can contact me by email. Your decryption credentials are: Email: [email@example.com].” It does not contain the Bitcoin address.
“Additionally, the note only contains instructions in Chinese, not Korean nor English like previous iterations,” Blaze said. “Is 5ss5c ransomware more targeted, or just actively being tested by the group/developers behind it?”
As always, users can protect themselves from ransomware by keeping up with patches, using antivirus and firewalls, and most of all, creating backups of files that are kept in a separate location, segmented from the rest of the network.