1 of 2
Danger level 8
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

SATANA Ransomware

SATANA Ransomware is a newly released ransomware-type infection that is designed to encrypt document and image file formats. Note that it specifically targets files that are bound to contain personal and valuable information. You must remove this infection because once it has encrypted your files — it is too late to do anything about it. You can either try to pay the ransom which we do not recommend because you might get duped or you can delete it. According to our research, there is currently no free decryption tool that could help you get your files.

We have found that this ransomware is a copy of Petya Ransomware. However, it was not made by the same developers, but by some unassociated people. Petya Ransomware and Mischa Ransomware are very similar infections, but SATANA Ransomware is similar but has some differences that we want to cover. Let us begin with its origins and distribution methods. Santana is the Italian word for Satan or devil, so we assume that the people that made it come from Italy.

We have found that this ransomware is set to infect computers in the same way as Petya Ransomware. It utilizes a Portable Executable (PE) file that writes a low-level module which is a bootloader with a tiny custom kernel. This ransomware uses what is known as a low-level attack and it is very innovative because it writes its malicious modules to the disk and takes effect only after you reboot the computer.

After the computer has become infected it deletes itself from the directory where it was executed and copies itself to %TEMP%. However, its executable name consists of random lower-case letters so it might be difficult to detect manually. It proceeds to encrypt the files using some encryption algorithm. We do not know what kind of algorithm it uses, but we suspect that it encrypts the files using the AES-256 encryption and the decryption key using the RSA-4096 encryption method. In any case, there is currently no way to decrypt the files for free.

Now let us get back to how this ransomware works because it is not a typical infection and there are many things going on with it. After infecting your PC and encrypting the files, it creates a Registry in which it saves contact information that is needed to contact the cyber criminals. In addition, after the encryption, it creates a .txt file named !santana!.txt that contains the ransomware with instructions on what the cyber criminals want you to do next.

Evidently, they want money, and they want a lot of it. According to the ransom note, the cyber crooks want you to pay the ransom in Bitcoins, and they ask for 05 BTC which might not look like much, but 0.5 BTC is 339.12 USD or 305.3 EUR, a substantial amount of money that you might be tempted to give to the criminals to get your files back. However, there are no guarantees that you will get the files after you have paid because such cyber crooks rarely keep their word. Furthermore, SATANA Ransomware is still under development so some of its functions may or may not work.

The ransom note is written in broken English, but it seems that you only have seven days to pay the random to get the files back, but if you fail to meet the deadline, then you probably will not be able to recover them. Furthermore, the ransom note says that “All changes in hardware configurations of your computer can make the decryption of your files impossible!” It is unclear what kinds of changes have to take place for the ransomware to detect that something has been changed, but if it can, it makes no difference because paying the criminals will probably not help.

If you want to remove SATANA Ransomware, you have to repair your computer’s Master Boot Record (MBR) using the Windows installation DVD to initiate the System Recovery. After you have repaired MBR, you can delete this ransomware using our manual removal guide. Alternatively, you can use our featured anti-malware tool SpyHunter to eradicate in its entirety.

How to remove SATANA Ransomware

  1. Press Windows+E keys.
  2. Enter %TEMP% in the address bar.
  3. Locate this ransomware’s executable.
  4. Right-click it and click Delete.
  5. Empty the recycle Bin

You might also want to delete the !santana!.txt files scattered throughout your computer, but they pose no threat.

Download Spyware Removal Tool to Remove* SATANA Ransomware
  • Quick & tested solution for SATANA Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.