Researchers discovered new ransomware named Saturn which encrypts files and appends .saturn extension to the file
Researchers discovered new ransomware named Saturn which encrypts files and appends .saturn extension to the file.The ransomware was first spotted by Security researchers from MalwareHunterteam. The ransomware is being actively distributed, but it is still not clear which methods are used for distributing.Working of Saturn RansomwareAfter infecting, the ransomware checks whether it is running in a virtual environment or not. If the victim is running in a virtual environment, it halts the process and exit.If not the ransomware will execute commands which will delete shadow volume copies, disable Windows startup repair and clear Windows backup catalog.After the execution of commands, the Saturn ransomware starts scanning for files and encrypt them. The file types encrypted by ransomware are given below:
txt, psd, dwg, pptx, pptm, ppt, pps, 602, csv, docm, docp, msg, pages, wpd, wps, text, dif, odg, 123, xls, doc, xlsx, xlm, xlsb, xlsm, docx, rtf, xml, odt, pdf, cdr, 1cd, sqlite, wav, mp3, wma, ogg, aif, iff, m3u, m4a, mid, mpa, obj, max, 3dm, 3ds, dbf, accdb, sql, pdb, mdb, wsf, apk, com, gadget, torrent, jpg, jpeg, tiff, tif, png, bmp, svg, mp4, mov, gif, avi, wmv, sfk, ico, zip, rar, tar, backup, bak, ms11, ms11 (Security copy), veg, pproj, prproj, ps1, json, php, cpp, asm, bat, vbs, class, java, jar, asp, lib, pas, cgm, nef, crt, csr, p12, pem, vmx, vmdk, vdi, qcow2, vbox, wallet, dat, cfg, configDuring encryption, it appends .saturn extension to the file’s name. A ransom note named #DECRYPT_MY_FILES#.html and #DECRYPT_MY_FILES#.txt and a key file named #KEY-[id].KEY is added to each folder containing encrypted files.
The ransom note contains details such as what happened to your files and also contains a link to the TOR payment site at su34pwhpcafeiztt.onion.The ransomware also drops #DECRYPT_MY_FILES#.vbs file which contains an audio message to the victims and sets #DECRYPT_MY_FILES.BMP as your desktop background.When the user clicks the TOR payment site link, and they are asked to enter the key to authenticate.After the key is uploaded, a decryptor page is opened for the victims containing instructions such as ransom amount to be paid and the address to be sent. Right now the ransom amount is $300 and which doubles after seven days.The saturn ransomware is still under analysis by security experts. We will update you with further details when more information are available.How to prevent yourself from the Saturn Ransomware:
- Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline
- Maintain updated Antivirus software for all systems
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
- Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches