Attackers Test 5ss5c Ransomware on Chinese Organizations

Delaware, USA – January 21, 2020 – The first test samples of the new ransomware appeared back in November 2019 but remained almost ignored at a time of resonant hacks and updated malware scene veterans. Blaze analyzed new versions of 5ss5c and found evidence that the new strain is based on Satan ransomware, which almost disappeared last summer. The malware is still being tested and some of its functions are experimental, but now we can say that malware authors started from the place where Satan ransomware development stopped, and their new creation is aimed at corporate networks. The victim first becomes infected with the downloader, which drops 5ss5c ransomware, a couple of tools to collect credentials, and spreader module which uses hardcoded credentials and BlueKeep exploit to infect other systems in the network.

Now ransomware is being actively tested in China, and this is not the first malware that is used behind the Golden Shield early in the game before entering the world stage. This is evidenced by the preservation of multiple log files and their sending to SQL Database, a small number of file extensions for encryption and ransom note only in Chinese without specifying a bitcoin wallet. The malware encrypts mainly documents and database files excluding folders associated with popular anti-malware solutions in China. For the decryption key, they demand 1 bitcoin and indicate one single email address for contact, these will likely change when 5ss5c begin to spread around the world. You can use new threat hunting Sigma rule by Ariel Millahuel to uncover characteristics of this ransomware and act before encryption starts: https://tdm.socprime.com/tdm/info/hXlJTqo4I1YR/