A new ransomware strain dubbed 5ss5c encrypts only certain files and stops database-related services and processes.

5ss5c ransomware believed to be developed by threat actors behind Satan, DBGer, Lucky and Iron ransomware.

The threat actors behind the ransomware actively developing the ransomware, last April they have added EternalBlue exploit functionality with the ransomware.

5ss5c Ransomware

Blaze Security believes that 5ss5c is active since at least from November 2019 and the ransomware is still in development.

The ransomware includes a downloader, spreader modules. It uses Certutil to check the download is successful or not.

5ss5c includes several Satan ransomware artefacts includes Tactics, Techniques, and Procedures, when compared to Satan, 5ss5c uses multiple packers to protect their droppers and payloads.

Following are the tools it downloads

  • Spreader (EternalBlue and hardcoded credentials);
  • Mimikatz and what appears another password dumper/stealer;
  • The actual ransomware.

How the Ransomware Operates

The ransomware contains a scanning module ‘SSSS_Scan‘; and an encryption module ‘5ss5c_CRYPT‘. It contains an exception list, avoid encrypting those files and folders. Also, it stops the database process if any.

Excluded Folders

It encrypts files only with the following extensions, mostly compressed file;

7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip

Once encryption completed it creates a text file in Chinese name, translated as “How to decrypt my file_.txt” and the ransom note also in Chinese.

Ransom Note

Translated version

“Some files have been encrypted
If you want to retrieve the encrypted file, send (1) Bitcoins to my wallet
If payment is not completed within 48 hours from the start of encryption, the amount of decryption will double.
If you have other questions, you can contact me by email
Your decryption credentials are: Email: [[email protected]]”

The new 5ss5c ransomware is likely to replace Satan, but it needs more enhancements.

Here you can find the Virustotal results, downloader, spreader & ransomware.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.