This article is about the ransomware. For the email worm, see Satan. For the DOS virus, see Satan-B.

Satan is a ransomware that runs on Microsoft Windows. It is part of Ransomware as a Service, or RaaS.

When a person first goes to the Satan RaaS they will be greeted with a home page that describes what the service is and how a criminal can make money with it.

The first page that is shown when someone logs in is the Malwares page, which allows a criminal to configure various settings of their very customized version of the Satan Ransomware. In terms of customization, there is not really many options. A user can specify the ransom amount, how much it goes up after a certain amount of the days, and the amount of days that the ransom payment should increase.


When the Satan Ransomware is installed it will check to see if it is running under a virtual machine, and if it is, will terminate. Once executed it will inject itself into TaskHost.exe and begin to encrypt the data on the computer. It is currently unknown what encryption algorithm Satan uses, but it will target files with the following extensions:

.incpas, .mp4, .pab, .st6, .sas7bdat, .wmv, .backup, .drf, .ibank, .3ds, .odg, .cer, 
.tif, .cs, .dotx, .7z, .png, .bak, .ibz, .db3, .pbl, .3fr, .dxf, .nk2, .bkp, .mdf, 
.svg, .xlm, .3dm, .pct, .java, .pot, .sxi, .ibd, .sxw, .pspimage, .ppt, .kbx, .ppsm, 
.ndd, .txt, .pdb, .say, .backupdb, .fla, .swf, .asx, .accdt, .mp3, .ycbcra, .erf, .cr2, 
.pfx, .potx, .qby, .sqlite, .blend, .class, .pat, .odp, .gray, .qbw, .tib, .thm, .htm, 
.mos, .rm, .key, .std, .tlg, .lua, .pst, .sqlitedb, .grey, .cdr4, .dc2, .ce1, .ps, .tex, 
.eml, .xlam, .pages, .st8, .jar, .st7, .potm, .sdf, .db-journal, .pcd, .aspx, .rwl, .kpdx, 
.fmb, .xlr, .gry, .kc2, .oil, .moneywell, .xlk, .sti, .accdr, .oth, .c, .xml, .nd, .mdb, 
.pem, .erbsql, .bpw, .ffd, .ost, .pptm, .dwg, .zip, .qbm, .cdx, .des, .dng, .pdd, .cfp, 
.nyf, .cgm, .sldm, .xla, .odf, .raf, .crw, .mef, .raw, .x11, .nsd, .fff, .design, .dcs, 
.ptx, .al, .ns2, .bik, .back, .accdb, .nwb, .cpi, .ads, .odt, .sqlite3, .docm, .drw, .pl, 
.nx2, .fpx, .rdb, .otp, .msg, .accde, .agdl, .php, .csv, .py, .rtf, .ach, .sda, .ddd, .asf, 
.dotm, .cmt, .h, .hbk, .xlsx, .s3db, .tga, .wav, .iif, .dxb, .sql, .db, .sd0, .bgt, .djvu, .jpg, 
.doc, .craw, .mpg, .sxd, .kdc, .jpeg, .psafe3, .flac, .dtd, .act, .qba, .vob, .cdrw, .eps, .bkf, 
.mdc, .rar, .mov, .cdf, .m4v, .ab4, .bank, .pps, .cib, .dot, .dgc, .exf, .flv, .xlsb, .ddrw, .adb, 
.srw, .plc, .csh, .xls, .fxg, .otg, .pas, .xlt, .indd, .rwz, .xltx, .apj, .stw, .xltm, .orf, .ott, 
.qbb, .max, .cls, .obj, .docx, .dcr, .cdr3, .qbx, .pdf, .nef, .ots, .srt, .ddoc, .rat, .phtml, .m, 
.dbx, .nxl, .avi, .p12, .awg, .dbf, .ns3, .mmw, .prf, .wallet, .rw2, .jin, .odc, .qbr, .ppsx, .ns4, 
.wpd, .wps, .nsh, .dxg, .fhd, .dac, .wb2, .nrw, .odb, .ait, .jpe, .odm, .sldx, .fdb, .acr, .war, .oab, 
.sxc, .cpp, .r3d, .hpp, .asm, .st5, .stx, .xis, .dds, .xlsm, .p7c, .cdr5, .3g2, .mrw, .sr2, .html, .cdr, 
.idx, .st4, .bdb, .kdbx, .nsg, .der, .ods, .myd, .nop, .ppam, .pptx, .yuv, .xlw, .mfw, .nsf, .csl, .php5, 
.p7b, .crt, .asp, .srf, .jsp, .cdr6, .sxm, .iiq, .3gp, .ce2, .arw, .bay, .ai, .sxg, .psd, .3pr, .fh, .pef, 
.x3f, .sik, .bpp, .vmdk, .spi, .bup, .cvt, .bb, .fkc, .tjl, .dbk, .swp, .fb, .vib, .dtb, .bke, .old, .bkc, 
.jou, .rpb, .abk, .sav, .bkn, .tbk, .fbw, .vrb, .spf, .bk, .sbk, .umb, .ac, .vbk, .wbk, .mbk

When it has encrypted a file, it will scramble its name and append the .stn extension to the file. For example, test.jpg may become ahasd.stn. While encrypting files it will also create a ransom note called HELP_DECRYPT_FILES.html in each folder that a file has been encrypted. 

When it has finished encrypting the computer, it will execute the C:\Windows\System32\cipher.exe" /W:C command to wipe all data from the unused space on the C: Drive.

Finally it will display the ransom note, which contains a unique victim ID and a URL to a TOR payment site.

Community content is available under CC-BY-SA unless otherwise noted.