A new threat, Saturn ransomware, has been recently identified by security researchers at MalwareHunterTeam. This malware derives its name from the extension added to encrypted files (.saturn).
Though it is simple enough to determine the ransomware variant used in an attack, this will be of little use to unsuspecting device owners as there is currently no decryptor available to rescue files.
Just one infection can rapidly spread laterally, encrypting files on an infected device as well as database shares. Rescuing files from backups may prove difficult as the Saturn ransomware searches for and erases shadow volume copies. Then is clears the Windows backup catalog and turns off Windows startup repair.
If no viable backup is maintained, the victim must pay a ransom payment in bitcoin of around $300 per infected device. If payment is not completed within 7 days of infection, the ransom payment doubles.
As is the case with many new ransomware variants, attacks can come from anywhere. This is due to the fact that the new ransomware variant is being provided to affiliates as ransomware-as-a-service.
Ransomware-as-a-service gives malware developers the power to maximize the number of infections – and profits – by hiring a large team of distributors to send spam emails, load the ransomware onto malicious websites and download the malicious software by taking advantage of weak security defenses. In exchange for their efforts, affiliates are allocated a percentage of the ransom payments that are made.
The developers of Saturn ransomware have made it very simple for affiliates. A portal has been produced that allows affiliates to obtain copies of the ransomware binary either embedded in exe files or Office, PDF files or other documents. To encourage individuals to using this ransomware variant as opposed to other RaaS offerings, the developers are offering a large percentage of the ransom payments to affiliates – 70%.
The simplicity of running campaigns along with the possible rewards for infection means many affiliates are likely to start utilizing the new ransomware variant in hacking campaigns. The new variant of malware is already being provided on various darknet forums.