Lucky ransomware: Satan virus variant poses risk of extensive infection


Independent security researchers at NSFOCUS and Sangfor have identified a Satan worm/virus variant that impacts Linux and Windows platforms and behaves similar to the Satan ransomware. The malware is believed to have already infected Linux servers in production, but, based on the aggressive manner in which the virus spreads, there is a risk of extensive infections.

The virus exploits known vulnerabilities in JBoss, Tomcat, WebLogic, Windows SMB, Apache Struts 2, and Spring Data Commons software.

Waratek customers are already protected by runtime virtual patches as well as Waratek’s unsafe deserialization zero-day-protection rule.


NSFOCUS discovered customers were infected with ransomware believed to be a variant of FT.exe with the capability of dropping crypto-miners and ransomware. The Satan virus spreads via Linux and Windows platforms like a worm, exploiting the following vulnerabilities:

  • JBoss deserialization vulnerability
  • JBoss default configuration vulnerability (CVE-2010-0738)
  • Tomcat arbitrary file upload vulnerability (CVE-2017-12615)
  • Tomcat web admin console backstage weak password brute-force attack
  • WebLogic arbitrary file upload vulnerability (CVE-2018-2894)
  • WebLogic WLS component vulnerability (CVE-2017-10271)
  • Windows SMB remote code execution vulnerability (MS17-010)
  • Apache Struts 2 remote code execution vulnerability (S2-045)
  • Apache Struts 2 remote code execution vulnerability (S2-057)
  • Spring Data Commons remote code execution vulnerability (CVE-2018-1273)

Lucky Ransomware

If the malware successfully infects a system, it encrypts local files and appends .lucky to their names and installs a ransom file – “_How_To_Decrypt_My_File_”.


Organizations with the impacted platforms and configurations should keep track of the latest vulnerability alerts and immediately scan their systems for the known CVEs that could be exploited.

Organizations should also check their egress firewall logs for the presence of port-scanning activity as well as connections to the following IP addresses:,,,

Waratek Enterprise and Waratek Secure customers are already protected by the platform’s zero-day and zero-false-positives protection features against code injection, command injection, unsafe deserialization, and arbitrary file upload attacks. No further rule configuration or any other kind of tuning is needed to achieve protection. Waratek Patch users that have applied the corresponding ARMR Runtime Virtual Patches are also protected against this malware.

Non-customers should upgrade or patch immediately their JBoss, Tomcat and WebLogic servers as well as their Struts 2 and Spring applications. Additionally, Windows users should install the MS17-010 patch immediately or disable the SMB service if it is not used. In all cases, an anti-virus should be installed in all systems with the latest virus definitions. Finally, it is critical to backup all server and user data and to make sure that the restore process is working as expected.

Related alerts

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.