Satan ransomware rebrands as 5ss5c ransomware

This report documents the rebranded 5ss5c ransomware—linked to the Satan/DBGer/Lucky family—detailing its infection chain (downloader down.txt, spreader c.dat leveraging EternalBlue and hardcoded credentials, and payload cpt.dat), credential theft tools (Mimikatz), C2 communication with 61.186.243.2, and operational features such as mutexes, exclusions, targeted file extensions, and a Chinese-only ransom note. The actors use multiple packers (MPRESS, Enigma, Enigma VirtualBox) and a ‘poc.exe’ spreader, indicating active development/testing. Extensive IOCs (hashes, URLs, IPs, file paths, commands, mutexes, email) are provided for detection and response.