Kaspersky Lab experts have discovered a new ransomware malware called , which employs advanced mechanisms to bypass detection and encryption of victim organizations' data.

The malware, named after Saturn's irregular moon, has an orbit that is opposite to Saturn's rotation direction. This name reflects the unconventional combination of memory management functions used. Researchers discovered it during the analysis of a multi-stage attack targeting an anonymous organization in Colombia.

First, the attacker uses a stealer to steal employees' corporate credentials. This allows them to access the system and maintain control long enough to implant ransomware. This behavior is typical of what is known as an initial access broker (). They usually then sell access to the compromised system on the dark web to other attackers. However, in this case, the attacker uses that access to launch ransomware. If the so-called "broker" and the distributor of the ransomware are the same person, we can talk about deviating from the mainstream trend. The attacker has additional hacking opportunities without relying on traditional organizations that provide encryption as a service ().

It is important to note that the attackers used a non-standard combination of functions and directly executed malicious code in memory. This approach differs from the typical sequential execution process commonly used in ransomware, allowing criminals to evade detection more effectively. Additionally, it allows attackers to selectively encrypt files, giving them better control over the situation. Using path commands, attackers can specify the directories in which the malware should search for data. If a file is whitelisted, it will be skipped and not encrypted.

The ransomware uses a modern stream malware with high speed and security, which outperforms the Advanced Encryption Standard (AES) encryption algorithm. Although the attackers have not yet publicly reported data theft incidents or made any claims, experts are closely monitoring any new activities. So far, we have not noticed the emergence of any new organizations using this ransomware for attacks. Attackers usually post information on data breach websites or dark web forums or portals to extort ransom from victims. However, this has not happened in this case. Therefore, the identity of the mastermind behind the new ransomware remains unknown. We believe this could be a new campaign.

author-gravatar

Author: Emma

An experienced news writer, focusing on in-depth reporting and analysis in the fields of economics, military, technology, and warfare. With over 20 years of rich experience in news reporting and editing, he has set foot in various global hotspots and witnessed many major events firsthand. His works have been widely acclaimed and have won numerous awards.

This post has 5 comments:

Leave a comment: