Saturn Ransomware

Saturn is a newly observed ransomware tool being delivered through a malware-as-a-service affiliate program that provides attackers with the malware binary for free in exchange for a portion of the resulting payments.

Presently it is unclear how Saturn is delivered to a target system, which may be a result of the infection vector being decided by the attacker and not the malware’s creator. Once installed, Saturn will perform a check to verify if it is running in a virtual environment, before executing commands to delete Volume Shadow Copies and disable Windows repair services.

Over 100 common file types are targeted, with encrypted files being appended with the extension .saturn. Ransom notes are dropped in each folder along with a VBS text-to-speech script that reads the ransom demands.

This ransomware is not decryptable at this time, but it is currently being researched for weaknesses.

Ransom Note Details

S A T U R N


All of your files have been encrypted!
To Decrypt your files follow these steps:

#---------------------------------------------#
1. Download and install the "Tor Browser" from https://www.torproject.org

2. Run it.

3. In the Tor Browser, open website:
   http://su34pwhpcafeiztt.onion

4. Follow the instructions on the page
#---------------------------------------------#

File Types

txt, psd, dwg, pptx, pptm, ppt, pps, 602, csv, docm, docp, msg, pages, wpd, wps, text, dif, odg, 123, xls, doc, xlsx, xlm, xlsb, xlsm, docx, rtf, xml, odt, pdf, cdr, 1cd, sqlite, wav, mp3, wma, ogg, aif, iff, m3u, m4a, mid, mpa, obj, max, 3dm, 3ds, dbf, accdb, sql, pdb, mdb, wsf, apk, com, gadget, torrent, jpg, jpeg, tiff, tif, png, bmp, svg, mp4, mov, gif, avi, wmv, sfk, ico, zip, rar, tar, backup, bak, ms11, ms11 (Security copy), veg, pproj, prproj, ps1, json, php, cpp, asm, bat, vbs, class, java, jar, asp, lib, pas, cgm, nef, crt, csr, p12, pem, vmx, vmdk, vdi, qcow2, vbox, wallet, dat, cfg, config

Affected Platforms

Microsoft Windows – All versions



Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: