New Saturn Ransomware Actively Infecting Victims and Distributing for Free

A new ransomware was discovered this week by MalwareHunterTeam called Saturn. This ransomware will encrypt the files on a computer and then append the .saturn extension to the file’s name. The Saturn Ransomware is being actively distributed, but at this time it is unknown what distribution methods are being used.

Unfortunately, this ransomware is not decryptable at this time, but it is currently being researched for weaknesses. In the mean time, if you wish to discuss or receive help, you can use our dedicated Saturn Ransomware Help & Support topic.

How Saturn Ransomware encrypts a computer

When Saturn Ransomware is installed it will check to see if the victim is running in a virtual environment. If it detects that it is running under a virtual machine, it will exit the process.

If it does not detect a virtual machine, Saturn will execute the following commands to delete shadow volume copies, disable Windows startup repair, and to clear the Windows backup catalog.

cmd.exe /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

After those commands are executed, it will scan the computer for certain file types and encrypt them. The files types encrypted by Saturn Ransomware are:

txt, psd, dwg, pptx, pptm, ppt, pps, 602, csv, docm, docp, msg, pages, wpd, wps, text, dif, odg, 123, xls, doc, xlsx, xlm, xlsb, xlsm, docx, rtf, xml, odt, pdf, cdr, 1cd, sqlite, wav, mp3, wma, ogg, aif, iff, m3u, m4a, mid, mpa, obj, max, 3dm, 3ds, dbf, accdb, sql, pdb, mdb, wsf, apk, com, gadget, torrent, jpg, jpeg, tiff, tif, png, bmp, svg, mp4, mov, gif, avi, wmv, sfk, ico, zip, rar, tar, backup, bak, ms11, ms11 (Security copy), veg, pproj, prproj, ps1, json, php, cpp, asm, bat, vbs, class, java, jar, asp, lib, pas, cgm, nef, crt, csr, p12, pem, vmx, vmdk, vdi, qcow2, vbox, wallet, dat, cfg, config

When encrypting files it will append the .saturn extension to the encrypted file’s name. For example, a file called test.jpg would be encrypted and then renamed to test.jpg.saturn.


While encrypting the computer, Saturn Ransomware will drop ransom notes named #DECRYPT_MY_FILES#.html and #DECRYPT_MY_FILES#.txt and a key file named #KEY-[id].KEY in each folder that it encrypts a file. The key file is used to login to the TOR ransom site, while the ransom note contains brief information on what has happened to the victims files and a link to the TOR payment site at su34pwhpcafeiztt.onion.

The ransomware will also drop a #DECRYPT_MY_FILES#.vbs file that causes speech to come from the infected computer. Finally, it sets your Windows desktop background to  #DECRYPT_MY_FILES.BMP.

When a user visits the TOR site, they will be prompted to upload the key file before accessing their personal portal.

Once the key is uploaded, it will open the Saturn Decryptor page for the victim and display more detailed instructions. These instructions will contain the amount of bitcoins to send as a ransom and the bitcoin address that it should be sent to. Currently, the ransom amount is set to $300 USD and then doubles after 7 days.

Saturn is Available for free

The authors of the Saturn ransomware are allowing anyone to become a ransomware distributor for free via a newly launched Ransomware-as-a-Service (RaaS) affiliate program.

The entire idea of this new RaaS portal is to allow easy access to a weaponized version of the new Saturn ransomware.

All that wannabe ransomware distributors have to do is to sign up on this new portal hosted on the Dark Web, get a copy of the Saturn ransomware, and start spreading it around.

Other previous RaaS portals that Bleeping Computer has analyzed in the past usually required users to pay an upfront sum before accessing a weaponized version of the ransomware binary. The Saturn RaaS is taking a whole new approach to the RaaS business model by putting the weaponized ransomware binary into anyone’s hands from the get-go, with no upfront money.

Affiliates stand to make 70% of the ransom payments

Users who generate one such file called stub in the Saturn RaaS interface must then embed it into other files such as EXEs, Office, PDF, or other documents. These files are then sent to users as part of spam email or malvertising campaigns, the two most common ransomware distribution methods.

Victims who get infected will have to pay decryption fees on the Saturn payment portal located at su34pwhpcafeiztt.onion. This money goes to the main Bitcoin account of the Saturn ransomware authors.

But if the file that infected the victim was generated on the RaaS portal, the user who generated the file and spread it to the victim will receive 70% of the total payment, while the Saturn creators keep 30%.

After signing up, login to your account, create new virus and download it. With this virus you just created, you are ready to start infecting people. Now, you the important part, you 70% of the bitcoin paid by victim will be credited to your account, as example, if you have specified $300 as a ransom, you will get $210 we will get $90.

Saturn’s 70%-30% payment scheme is on par with the Cerber RaaS payment scheme, one of today’s largest ransomware operations.

The Saturn RaaS portal was spotted by a Bleeping Computer forum user who wanted to remain anonymous. The Saturn RaaS is currently open for registration and has already cropped up in Dark Web URL scanners and directories.

How to protect yourself from the Saturn Ransomware

In order to protect yourself from ransomware in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.

Credit: Bleepingcomputer


CEH Course In pune | Slink

Jai Prajapati

Jai Prajapati is a security analyst and author for Securityleaks, where he passion for covering latest happening in cybersecurity world such as malware, breaches, vulnerabilities, exploits, white-papers, hacking newsbytes, Dark Web, hacking tutorials and a few more.

Leave a Reply

Your email address will not be published. Required fields are marked *