Windows users face a new and particularly nasty threat: Satana ransomware. The latest ransomware variant prevents the operating system from booting in addition to encrypting user files. An infection will see a wide range of user files encrypted. The ransomware also replaces with master boot record with a new version and encrypts the original. This will prevent the operating system from running next time the computer is rebooted.
If the victim wants to recover their files and regain use of their machine, they must restore the locked files and reinstall the operating system. Alternatively, they will need to pay a ransom of 0.5 Bitcoin (Approximately $340). However, since their computer will have been taken out of action, victims must use a second device in order to pay.
It may be possible for the victim to repair the master boot record and start up their computer, although this requires a level of technical skill that may be beyond many users.
Satana ransomware is not the first ransomware variant to prevent victims’ computers from booting. Petya ransomware also prevented a boot, although in that case two separate programs were used. With Satana ransomware, the file encryption and encryption of the MBR is performed using the same program.
Instead of booting the OS, when the computer is restarted it will display a message to the user advising them to pay the ransom. The attackers claim they will supply an unlock code which will allow the victim to regain use of their computer and access their files. The victim is given 7 days to send the ransom payment or risks total loss of their files.
The victim is offered some advice to victims unwilling to pay up. The ransom note says, “we recommend you format all your disks and reinstall your system.”
The new ransomware variant was discovered by S!Ri, a security researcher at Malwarebytes. S!Ri says that at the current time there is no free method of recovering files that have been encrypted with Satana ransomware. However, the software is not mature and contains a number of flaws. Those will undoubtedly be corrected in further releases of the ransomware. Malwarebytes says the new variant is “a work in progress.”