A new ransomware strain has been discovered that not only encrypts user files, it prevents the device from booting. Satana ransomware encrypts the master boot record preventing thus disabling the computer it has infected.
The new ransomware strain appears to still be under development, yet it is active and poses a serious threat to businesses and individuals. At present, there is no fix for a Satana ransomware infection. If files are encrypted they can only be recovered from a backup or by paying the attacker’s ransom demand. If no backup exists and the ransom is not paid, a victim will permanently lose their files.
Most ransomware variants do not encrypt key operating system files and prevent booting. They only target users’ files. Documents, spreadsheets, databases, images, and a host of other file types are locked with encryption. Those files cannot be recovered without a decryption key, which is held by the attacker. Restoration of files from backup devices may be possible, provided they too have not been encrypted.
Satana ransomware is not unique in preventing the operating system from booting, but it is unusual. Petya ransomware, which was discovered in March 2016, similarly prevents the operating system from booting, although the method each ransomware strain uses is different.
Petya ransomware replaces the master boot record and launches a bootloader which subsequently encrypts the master file table. Satana ransomware does not actually encrypt the master file table, instead it just replaces it with code written by the attackers. The master boot record is encrypted and stored on the device. If the ransom is paid, a decryption key is allegedly supplied by the attackers that will allow the victim to restore the master boot record.
When Satana ransomware is installed on a device it searches for a range of files including documents, photos, and data files. Those files are then encrypted and the file extensions are replaced with new extensions. When the device is rebooted for the first time after Satana ransomware has run, the operating system will no longer run. Instead the screen will display a message to the user telling them their machine has been encrypted and that they must pay a 0.5 Bitcoin ($340) ransom for the decryption keys to recover their files and restore the device.
Researchers at Malwarebytes say that the ransomware is not mature and that it contains many flaws; however, it is highly probable that these will be fixed in later releases. When those flaws have been addressed it is probable that the ransomware will be distributed more widely.