Satan Ransomware

Also Known As: Satan virus
Distribution: Moderate
Damage level: Severe

Satan ransomware removal instructions

What is Satan?

Similar to Ransom32, Satan is a ransomware-type virus offered as a Service (Raas). Following successful infiltration, Satan encrypts stored data using RSA-2048 and AES-256 cryptography. In addition, this virus appends the names of encrypted files with the ".stn" extension (for instance, "sample.jpg" is renamed to "sample.jpg.stn"). Following successful encryption, Satan places an HTML file ("HELP_DECRYPT_FILES.html") on the desktop. Updated variants of this ransomware use .satan extension for encrypted files. As mentioned above, Satan's developers provide a service allowing prospective cyber criminals to make money by distributing this ransomware. In exchange, developers receive 30% of revenues generated by users.

To use Satan RaaS, users must create an account and provide the required information. Firstly, users must have a Bitcoin wallet used for ransom transactions. Secondly, they must specify a cost for decryption. They are then able to download a malicious executable file, which is used to infect victims' computers. Satan's website also contains a number of other features (for example, transaction tracking, list of released Satan's versions, etc.). The aforementioned Satan HTML file (placed on the desktop) contains a ransom-demand message stating that files are encrypted and that restoring them without a unique key is impossible. Unfortunately, this information is accurate. RSA-2048 is an asymmetric encryption algorithm and, thus, public (encryption) and private (decryption) keys are generated during file encryption. Cyber criminals store private keys on a remote server and victims are encouraged to pay ransoms to receive them by following instructions on Satan's decryption website (links are provided within the HTML file). The cost of decryption is not consistent (distributors are able to change it), however, most ransomware-type viruses demand between $500 and 1500 in Bitcoins. It is also stated that the ransom must be paid within the given time frame, otherwise the price will increase. In any case, you should never trust cyber criminals. Research shows that these people commonly ignore victims, despite payments made. Paying does not guarantee that your files will ever be restored and you might be scammed. Therefore, never pay any ransom or attempt to contact these people. Unfortunately, there are no tools capable of cracking RSA-2048 and AES-256 encryption algorithms or restoring files compromised by Satan ransomware. Therefore, the only solution is to restore your files/system from a backup.

Screenshot of a message encouraging victims to pay a ransom to decrypt their compromised data:

Satan decrypt instructions

There are hundreds of ransomware-type viruses with similar behavior to Satan. Examples include HakunaMatata, LambdaLocker, Karma, and many others. All encrypt files and make ransom demands. The only major differences are size of ransom and encryption algorithm (symmetric/asymmetric) used. Ransomware-type viruses are often distributed using spam emails (malicious attachments), unofficial software download sources (peer-to-peer networks, freeware download and free file hosting websites, etc.), fake software update tools, and trojans. Therefore, be cautious when opening files received from suspicious emails, and when downloading software from third party sources. Keeping your installed applications up-to-date and using a legitimate anti-virus/anti-spyware suite is also essential. Be aware, however, that cyber criminals often exploit software bugs/flaws to infect the system. Therefore, never use any third party update tools.

Text presented within Satan HTML file (English):

What happened to my files ?
All of your personal files were encrypted using AES-256 and RSA-2048
What does this mean ?
This means that the content of your files have been changed, you will not be able to use them, it is basically the same as losing them forever. However, you can still get them back with our help.
How can I get my files back ?
As said before, your files have been encrypted, in order to decrypt them, you'll need the private key of the key pair that was generated when your files were encrypted. Decrypting your files is only possible with the private key and the decrypter.
If you really value your data, then you should not waste time and follow the instructions in the link below:
If the links above are not available, you should follow these steps instead:
1. Download and install the Tor Browser
2. After you've installed it, run the browser and wait for it to initialize
3. Type in the address bar: hxxp://satan6dll23napb5.onion/k9JEZbSz?lang=en
4. Follow the instructions on the page

Text presented within Satan HTML file (Portuguese):

O que aconteceu com os meus arquivos ?
Todos os seus arquivos pessoais foram criptografados usando AES-256 e RSA-2048
O que isso significa ?
Isso significa que o conteúdo dos seus arquivos foi alterado, você não será capaz de usá-los, isso é basicamente o mesmo que perdê-los para sempre. Entretanto, com nossa ajuda você ainda pode tê-los de volta.
Como posso ter meus arquivos de volta ?
Como dito antes, seus arquivos foram criptografados, para descriptografa-los, voc precisará da chave privada do par de chaves que foi gerado quando seus arquivos foram criptografados. Descriptografar os arquivos é apenas possível com a chave privada e o descifrador.
Se você realmente dá valor aos seus dados, você não deve desperdiçar tempo. Siga as instruções no link abaixo:
Se os links acima não estiverem disponíveis, siga os seguintes passos:
1. Baixe e instale o Tor Browser
2. Depois de instalado, execute-o e espere a sua inicialização
3. Digite na barra de endereço: http://satan6dll23napb5.onion/k9JEZbSz?lang=pt
4. Siga as instruções na página

Screenshot of Satan ransomware Tor website:

Satan decrypt instructions

Text presented within this site:

Your personal files have been encrypted. In order to decrypt them you'll have to pay -- BTC
If the payment is not made until %LIMIT%, the cost for the private key will increase to -- BTC
How to get your files back
1. Register a bitcoin wallet
2. Purchase the amount of bitcoins needed
3. Send -- BTC to the address:
4. Wait for the transaction to be confirmed
The transactions are checked automatically every hour. After you've paid, come back here after at least one hour.
You've paid -- BTC. There are still -- BTC left.

Screenshot of files encrypted by Satan ransomware (random file name and ".stn" extension):

Satan decrypt instructions

Screenshots of Satan RaaS (ransomware as a service) website:

Satan RaaS "Homepage" page:

Satan RaaS About

Text presented within this page:

What is Satan?

Apart from the mythological creature, Satan is a ransomware, a malicious software that once opened in a Windows system, encrypts all the files, and demands a ransom for the decryption tools.

How to make money with Satan?

First of all, you'll need to sign up. Once you've sign up, you'll have to log in to your account, create a new virus and download it. Once you've downloaded your newly created virus, you're ready to start infecting people.

Now, the most important part: the bitcoin paid by the victim will be credited to your account. We will keep a 30% fee of the income, so, if you specified a 1 BTC ransom, you will get 0.7 BTC and we will get 0.3 BTC. The fee will become lower depending on the number of infections and payments you have.

Satan RaaS "Malwares" page:

Satan RaaS Malwares

Text presented within this page:

Ransom - Ransom in BTC (min 0.1) Use "." as decimal separator.
Multiplier - Used to multiply the ransom by X times after Y days.
Multiplier (Days) - Days before the ransom multiplier.
Note - Notes are private, and used only to keep track of your victims.
Proxy - Read about how to set up a gateway proxy here.
Do not upload your malware to VirusTotal and/or any other online scanner.
The malware does not run inside virtual machines, if you wish to test it, you must do it in a physical computer. Don't forget to run the test with the command-line argument -r to avoid having the binary deleted.

Satan RaaS "Droppers" page:

Satan RaaS Droppers

Text presented within this page:

Making a dropper

1. Use one of the xor functions below to encrypt your ransomware.

2. Upload the encrypted ransomware to your web server.

3. In the form below, enter the url to the file, the key you used to encrypt and click on "Generate".

4. Follow the usage instructions

Satan RaaS "Translate" page:

Satan RaaS Translate

Text presented within this page:

Translation guidelines

1. All fields must be filled.

2. Anything between "%" should be only copied and not translated.

3. The field "English" should be filled with the name of the language you're translating (e.g Deutsch, Español).

4. The characters used must be UTF-8 supported.

5. Only one translation is allowed per day.
The translations are manually checked and added once a day. Duplicates are ignored.

Satan RaaS "Account" page:

Satan RaaS Account

Satan RaaS "Notices" page:

Satan RaaS Notices

Satan RaaS "Messages" page:

Satan RaaS Messages

Satan ransomware removal:

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Malwarebytes is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Malwarebytes By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the Satan virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Satan ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Satan ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Satan are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Satan, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as Satan ransomware.

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user-intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove Satan ransomware:

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Satan virus QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of Satan virus on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

Download Malwarebytes

Platform: Windows

Editors' Rating for Malwarebytes:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.