SatanCD Ransomware

[Virus/Malware Activity Reported: SatanCD Ransomware]

We are aware of a security breach suspected to be the SatanCD ransomware and
would like to provide the following information and warning regarding the situation.

SatanCD ransomware

The ransomware is called SatanCD and appears to be changing the filename.extension.encrypted of all files.

How it works

File version

[Figure 1 Ransomware executable compiler information]

[Figure 2 File information in Windows properties]

Ransomware behavior characteristics

• SatanCD ransomware, developed in C# .NET, copies itself to the %APPDATA%Roaming location upon initial execution and then re-executes it. It then saves the ransomware's executable link in the Startup folder. It supports duplication prevention to prevent multiple executions. Upon infection, it deletes shadow copies and backup catalogs, and disables Windows Restore and error notifications to prevent system recovery. While it primarily targets the Windows root drive, it can also create the surprise.exe file on other drives, potentially causing further spread and infection when using removable drives.

  
  [Figure 3: Static code of cmd command used in the attack]

  
  [Figure 4 Creating a Run Silk in the Startup Programs folder]

Infection results

After encryption is complete, a guidance file named Warning.txt is created in each folder location, and each encrypted file is changed to < file name. extension. encrypted >.

[Figure 5 Infection Results]

White Defender response

It also supports real-time automatic restoration of files that were encrypted before WhiteDefender ransomware's malicious actions and blocking.

Watch the SatanCD blocking video