The ransomware is called Satana (devil/satan in Italian) and similar to the Petya and Mischa bundle, Satana works in two modes. Satana encrypts files one by one, and in each folder drops a ransom note:!satana!. The ransom note is printed generously during the malwares execution, giving away interesting information: The payload contains all the functions necessary for the infection process. After defeating a dropper in a FUD/crypter we can see a payload that is another executable. In the first (low-level) mode, only the.Ransomware is stored in Sector 6 (and the original MBR is attacked)”]
Source: https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/