There’s a looming ransomware strain on the horizon, and it combines two malware strains into one for greater impact. Aptly-named Satana, Italian for devil or Satan, is an aggressive form of ransomware that wreaks havoc in two steps, according to the blog of internet security company Malwarebytes.

Satana is actually part of a copycat family, developed from malware-strain Petya, which blocks user access by infiltrating low-level structures. This differs from typical ransomware in that it encrypts files one at a time.

The virus’s first mode is similar to Petya, as it uses a typical portable executable (PE) file, or dropper, to infect and rewrite the low-level module, or bootloader, with a customized, tiny kernel, the blog authors wrote.

[Also: Buyers Guide to intrusion detection and prevention tools]

Satana’s second mode is similar to the ransomware bundle, Mischa, which acts as traditional ransomware and encrypts a system’s files one-by-one and demands a ransom for their release, according to Malwarebytes researchers.

Petya and Mischa are frequently used together by cybercriminals as something of an insurance policy for Petya, the authors explained. If the first mode of the ransomware fails, Mischa is released. Satana takes it a step further and combines both forms to infect the entire system in two steps.

The application triggers a user account control notification that will continue to repeat until the user clicks “Yes.” After Satana is executed, it creates a copy hidden in a system’s temporary files. The malware writes the malicious code and then begins to encrypt files.

The virus is installed silently and doesn’t present any error screens, the blog authors explained. The malicious modules are written at the beginning of the disk and wait for a computer to reboot to display the ransom note.

Satana announces its every action, which, the Malwarebytes authors explained, “may suggest that the product is still at the early stage of development.”

“[Satana] displays some interesting features, but also contains flaws,” the authors added. “The low-level attack code looks unfinished – but authors show an interest in developing the product in this direction and we can expect that in the next version it will be improved.”

Sign up for the Healthcare IT News Privacy & Security Update newsletter.  

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn