Satan Ransomware Rebrands as DBGer

What Is It?

Satan ransomware was first discovered by a French security researcher in January 2017, initially offered via Ransomware as a Service (RaaS).

This allowed malicious actors to register, create a unique variant of Satan and distribute the malware as they saw fit. The RaaS handled the ransom payments and development of the malware and took 30% of any ransom payments made (yet a lower fee when more payments were collected).

Over time, Satan ransomware gained credibility with malicious actors for its profit-making potential and led to several other ransomware variants that are believed to have been created by former clients. To remain current in the highly competitive world of for-profit malware, Satan continued to be developed, most notably in versions released from November 2017 which made use of the leaked NSA EternalBlue (Articles: link, link, link) exploit. This exploit, also famously used by WannaCry (Articles: link, link, link, link, link) and NotPetya malware, allowed Satan to potentially spread over the local network.


The latest development, described by BleepingComputer, occurred in April 2018 and also included an apparent name change from Satan to DBGer. These variants now include the Mimikatz  (Articles: link, link, link) tool, developed for penetration testers but often used by malware and by attackers to assist lateral movement through a network. Mimikatz attempts to extract credentials for other systems on the local network, allowing the ransomware to infect those systems too.

Though the combination of EternalBlue and Mimikatz is not unique to Satan/DBGer, that combination was previously used by BadRabbit  (Articles: link, link) and NotPetya, it shows that the authors remain committed to further development to ensure continued profits. To that end, the current ransom note states that the user has three days in which to pay, after which “your data will be open to the public download.”

How Does It Propagate?

As discussed, Satan/DBGer malware utilizes both the EternalBlue SMB exploit and the Mimikatz tool to attempt to infect additional systems on the local network.

The most common attack vector for most ransomware is social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

A publicly available sample of DBGer ransomware was tested and BluVector’s patented Machine Learning Engine (MLE) detected it. In fact, regression testing has demonstrated the sample would have been detected by all previous MLE models, resulting in detection since September 2013, which is 57 months prior to its release.

All Threat Reports