A new type of hacking campaign using Satan Ransomware is being sold to any would-be hacker or cybercriminal free of charge using an affiliate model known as ransomware-as-a-service or RaaS. The idea behind RaaS is basic. Developers of ransomware can infect more computers and networks if they get a team to help to distribute their malicious software. Anyone willing to spend a little time to distributing the ransomware will receive a portion of any profits.

Ransomware authors usually charge a nominal fee for individuals to take part in these RaaS schemes, Along with taking a percentage of any ransomware payments that are generated. In the case of Satan ransomware, the developers offer RaaS completely free of charge. Anyone who wants to share the malicious software is free to do so. In exchange for their efforts they get to keep 70% of the ransom payments they generate. The other 30% goes to the ransomware authors. The group behind the RaaS also offers higher percentages as infections rise as a reward for effort. All that is required to begin is to create a username and password. Access to the ransomware kit can then be obtained.

What is worrying is how easy it is to take part in this RaaS scheme and custom-craft the malware. The gang responsible for the campaign has developed an affiliate console that allows the malware to be amended. The ransom amount can be easily fixed, as can the time frame for making payments and how much the ransom will rise if the payment deadline is exceeded.

Help is also give to for the distribution of the malware. Assistance is supplied to make droppers that install the malware on victims’ systems. Help is provided to create malicious Word macros and CHM installers that can be used in spam email campaigns. Help is also given to encrypt the ransomware to avoid detection. Even multi-language support is available. Any would-be hacker can craft ransom demands in multiple languages via the RaaS affiliate console.

Satan ransomware carries out a check to determine if it is running on a virtual machine. If it is, the ransomware will disable itself. If not, it will run and will look for over 350 different file types. Those files will be locked with powerful encryption. File extensions are altered to. stn and the file names are scrambled to make it harder for victims to pinpoint individual files. The ransomware will also delete all free space on the hard drive before the ransom demand is placed onto the desktop.

There is no decryptor available for Satan ransomware. Recovery without paying the ransom will depend on groups being able to restore files from backups. As the ransomware also encrypts backup files, those backups will have to be located in the cloud or on isolated devices.