The cybercrime group behind Satan ransomware and other malware seems to be involved in the development of a new threat named 5ss5c.

The threat actors behind the Satan, DBGer and Lucky ransomware and likely Iron ransomware, is back with a new piece of malware named ‘5ss5c’.

The Bart Blaze believes that the threat actors have been working on the 5ss5c ransomware since at least November 2019, and likely the malicious code is still under development. Experts, in fact, discovered a second spreader module, packed with Enigma VirtualBox, within the code, that is named poc.exe.

“There’s quite some curiosities that indicate 5ss5c is still in active development and stems from Satan ransomware.” reads the analysis published by Blaze.

“This suggest they may be experimenting ( poc often is an acronym for proof of concept).”

The expert discovered several artifacts that suggest 5ss5c stems from Satan ransomware, he also pointed out that updates for Satan stopped in August while 5ss5c appeared in the threat landscape in November.



Like Satan, 5ss5c launches process via a downloader, leverages the EternalBlue exploit for spreading. Blaze added that several Satan artefacts , and tactics, techniques and procedures (TTPs) have similarities with both Satan and DBGer, and partially with Iron.

The file poc.exe is dropped to C:\ProgramData\poc.exe, and runs the command:

cd /D C:\ProgramData&star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload C:\ProgramData\down64.dll –TargetIp

that is similar to the command executed by the Satan ransomware:

cmd /c cd /D C:\Users\Alluse~1\&blue.exe –TargetIp & star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload down64.dll –TargetIp

Both Satan and 5ss5c have an exclusion list of files that are not encrypted by the malicious codes, the list of the new ransomware include additional files like the one associated with Qih00 360 security solutions (i.e. 360download and 360safe files).

The 5ss5c ransomware drops a ransom note in Chinese that demands the a ransom of 1 bitcoin for decryption.

The ransom demand will double after 48 hours. The ransom note doesn’t include attackers’email to contact for the payment or a Bitcoin address, instead the ransomware prepends the email address (5ss5c ( at ) mail [ . ] ru ) to the file name of each encrypted file, for example test.txt becomes [5ss5c@mail.ru ] test . txt . Y54GUHKIG1T2ZLN76II9F3BBQV7MK4UOGSQUND7U . 5ss5c.



“Whoever’s behind the development of Satan, DBGer, Lucky and likely Iron ransomware, is back in business with the 5ss5c ransomware, and it appears to be in active development – and is trying to increase (or perhaps focus?) its targeting and spread of the ransomware.” concludes the expert.

The analysis published by Blaze includes the indicators of compromise (IOCs).

Pierluigi Paganini