When a ransomware calls itself “Satana”, you just know it’s going to be dangerous. True to its devilish name, Satana encrypts your user files and your master boot record to effectively lock down your PC and prevent you from booting into the OS.
Satana, by the way, means Satan in Italian (and Romanian, for what it’s worth). Surprisingly, the malware appears to only be in the “in development” stage – although working versions are still available in the wild.
The malware was spotted by researchers at Malwarebytes, who claim the ransomware is actively in development but still functional in its current form.
Satana is the second known ransomware that attacks the master boot record, or MBR. Typically, ransomware attacks load when you launch your OS, giving you at least some options to use your computer. Ransomware attacks that target the MBR, however, prevent you from loading the OS because they encrypt it.
When your computer can’t find the MBR, it doesn’t know which partition contains the OS, and your OS won’t launch.
The MBR is Replaced With New Code
What makes Satana particularly lethal is that it doesn’t just encrypt the MBR: it replaces the MBR with its own code. Thus, when you try to launch your computer, it launches with the ransomware in complete control.
At the same time, Satana stores an encrypted version of the original MBR on your system: so if you pay the ransom, Satana will reboot your system.
Satana doesn’t encrypt the master file table, or MFT – which is something we’ve seen from the one other ransomware program targeting the MBR (called Petya). That’s a good thing: it makes it easier to restore your system, although your computer is still unbootable.
The Ransom is 0.5 Bitcoin, or About $340 USD
Like most ransomware programs, Satana gives you a ransom demand of between $300 and $600. In this case, it’s 0.5 BTC, or about $340 USD.
Prior to demanding that ransom, Satana will silently encrypt your files and wait for the first reboot, at which point your MBR is replaced and you will see a ransom demand of 0.5 Bitcoin.
How to Decrypt your Files and Remove Satana
Like many ransomware programs, there’s unfortunately no way to decrypt your files for free – at least, there’s no way that we know about.
However, you may possibly be able to repair the MBR using Windows recovery options, although you’ll need to mess around with the Windows boot recovery command (bootrec.exe) tool, which is beyond the ability of average users.
This is a doozy of a ransomware program. It’s currently in development, although the current version on the internet now is likely going to be used as a base for future devastating improvements. Keep an eye out and practice good ransomware avoidance strategies. You absolutely do not want to get Satana.