A new ransomware strain dubbed 5ss5c encrypts only certain files and stops database-related services and processes.
The threat actors behind the ransomware actively developing the ransomware, last April they have added EternalBlue exploit functionality with the ransomware.
5ss5c Ransomware
Blaze Security believes that 5ss5c is active since at least from November 2019 and the ransomware is still in development.
The ransomware includes a downloader, spreader modules. It uses Certutil to check the download is successful or not.
5ss5c includes several Satan ransomware artefacts includes Tactics, Techniques, and Procedures, when compared to Satan, 5ss5c uses multiple packers to protect their droppers and payloads.
Following are the tools it downloads
- Spreader (EternalBlue and hardcoded credentials);
- Mimikatz and what appears another password dumper/stealer;
- The actual ransomware.
How the Ransomware Operates
The ransomware contains a scanning module ‘SSSS_Scan‘; and an encryption module ‘5ss5c_CRYPT‘. It contains an exception list, avoid encrypting those files and folders. Also, it stops the database process if any.
It encrypts files only with the following extensions, mostly compressed file;
7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip
Once encryption completed it creates a text file in Chinese name, translated as “How to decrypt my file_.txt” and the ransom note also in Chinese.
Translated version
“Some files have been encrypted
If you want to retrieve the encrypted file, send (1) Bitcoins to my wallet
If payment is not completed within 48 hours from the start of encryption, the amount of decryption will double.
If you have other questions, you can contact me by email
Your decryption credentials are: Email: [5ss5c@mail.ru]”
The new 5ss5c ransomware is likely to replace Satan, but it needs more enhancements.
Here you can find the Virustotal results, downloader, spreader & ransomware.
