Satan ransomware rebrands as 5ss5c

5ss5c is newly observed ransomware that has been attributed to the same threat actor that developed Satan.

5ss5c is distributed by a spreader module that uses both hardcoded credentials and the SMB EternalBlue exploit. It is accompanied by credential stealing modules including Mimikatz.

When executed, 5ss5c will stop database processes and then encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip.

The ransom note only contains instructions in Chinese, not Korean nor English like previous iterations.

Encrypted files are renamed with the email address [email protected][.]ru at the beginning and the extension .5ss5c at the end. A ransom note in Chinese is then saved to the root directory of the C:\ drive.

URL http://58.221.158.90:88/car/down.txt
URL http://58.221.158.90:88/car/c.dat
URL http://58.221.158.90:88/car/cpt.dat
IP 58.221.158.90
IP 61.186.243.2
Hash 82ed3f4eb05b76691b408512767198274e6e308e8d5230ada90611ca18af046d
Hash dc3103fb21f674386b01e1122bb910a09f2226b1331dd549cbc346d8e70d02df
Hash 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc
Hash af041f6ac90b07927696bc61e08a31a210e265a997a62cf732f7d3f5c102f1da
Hash ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
Hash e685aafc201f851a47bc926dd39fb12f4bc920f310200869ce0716c41ad92198
Hash e5bb194413170d111685da51b58d2fd60483fc7bebc70b1c6cb909ef6c6dd4a9
Hash ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f
Hash ef90dcc647e50c2378122f92fba4261f6eaa24b029cfa444289198fb0203e067
Hash 47fa9c298b904d66a5eb92c67dee602198259d366ef4f078a8365beefb9fdc95
Hash 68e644aac112fe3bbf4e87858f58c75426fd5fda93f194482af1721bc47f1cd7
Hash ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18
Hash 23205bf9c36bbd56189e3f430c25db2a27eb089906b173601cd42c66a25829a7
Hash a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f
Hash cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
Hash 8e348105cde49cad8bfbe0acca0da67990289e108799c88805023888ead74300
Hash ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41
Hash de3c5fc97aecb93890b5432b389e047f460b271963fe965a3f26cb1b978f0eac
Hash bd291522025110f58a4493fad0395baec913bd46b1d3fa98f1f309ce3d02f179
Hash 75d543aaf9583b78de645f13e0efd8f826ff7bcf17ea680ca97a3cf9d552fc1f
Hash 50e771386ae200b46a26947665fc72a2a330add348a3c75529f6883df48c2e39
Hash 0aa4b54e9671cb83433550f1d7950d3453ba8b52d8546c9f3faf115fa9baad7e

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: