Snake Ransomware isolates infected Systems before encrypting files

Experts spotted recent samples of the Snake ransomware that were isolating the infected systems while encrypting files to avoid interference.

Experts from cybersecurity firm Deep Instinct recently spotted some sample of the Snake ransomware (also known as EKANS) were observed isolating the infected systems to encrypt files without interference

In January experts observed a new wave of attacks that targeted organizations worldwide, experts from SentinelOne also discovered Snake Ransomware that was targeting processes and files associated with industrial control systems (ICS).

The activity of the gang was relatively quiet during the COVID-19 outbreak since May 4, when the ransomware operators launched a massive campaign that targeted organizations worldwide.

Snake Ransomware is suspected to have been employed in a ransomware attacks that hit Fresenius Group, Europe’s largest hospital provider, and the Japanese carmaker Honda.

The Snake ransomware kills processes from a predefined list, including ICS-related processes, to encrypt associated files.

Snake samples employed in more recent attacks implements the ability to enable and disable the firewall and leverage specific commands to block unwanted connections to the system.

“Before initiating the encryption, Snake will utilize the Windows firewall in order to block any incoming and outgoing network connections on the victim’s machine that aren’t configured in the firewall. Windows built-in netsh tool will be used for this purpose,” reads the analysis published by cybersecurity firm Deep Instinct. “Disconnected from the outside world, Snake will kill the hardcoded processes that may interfere with the encryption. This list contains processes related to the industrial world and several security and backup solutions.”

The malware would kill any process that might potentially interfere with the encryption, including those associated with industrial software, backup solutions, and of course security tools. Then the malware also deletes shadow copies to prevent the victims from recovery the files.

“Once all the preparations are completed, the ransomware can initiate the encryption process.” continues the analysis. “Excluding several system-critical folders and files, all files with extensions included in Snake’s hardcoded list are included. The list includes document, virtualization, database, and archive extensions among others.”

The malware appends a random five-character string to the extension of the encrypted files and the word EKANS to the end of the file (i.e. For example, our encrypt_me.txt file was changed to encrypt_me.txtDwtwx.)

“The concept of ransomware is rather simple – you encrypt your victims’ files and wait for them to pay. Although this concept hasn’t changed in recent years, ransomware attacks have become more and more sophisticated and targeted, as we witness the gradual change in the priorities, tactics and scale of attacks.” concludes the report.

“If the attackers are changing their modus operandi, we should change the way we think about ransomware attacks.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SNAKE ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]