Snake ransomware, also known as Ekans, targets manufacturers. It can infect an entire network before activating, which makes it a potentially crippling form of ransomware
The alternative name for the ransomware, Ekans, is “snake”, spelled backward. Early targets of Snake were Honda and Enel Group, an Italian energy conglomerate. Sentinel Labs first identified the ransomware in January 2020. To date, ransomware has attacked targets in the USA, China, Japan, and Germany.
Snake ransomware has changed since its first attack. That incident attacked a hospital and included data theft. Then, the hackers started to release captured data, which included patient information. The disclosure of personally identifiable information (PII) is a disaster for businesses because it opens them to prosecution and litigation.
After that hospital attack, the hackers turned to industrial targets and stopped seeking PII to publish.
How does Snake ransomware get onto a computer?
Snake ransomware gets access to one endpoint on a network using remote desktop protocol (RDP). This system enables people to view their office computers from a different location over the internet. RDP is also used by the help desk and system maintenance technicians to access computers for investigation and problem-solving.
RDP can be shut down on a computer, thus closing its port and making it invulnerable to Snake ransomware. As a result, many businesses need to use RDP. However, in these cases, RDP access should be password protected with a complex password.
Not every system administrator realizes that RDP ports are open on their systems. This situation can sometimes be created by software packages when they are installed. In these automatic RDP setups, the access to RDP is either unprotected or with a commonly-used password, such as password or 12345.
Snake knows about these weak passwords and works through a dictionary of possible values. Then, it will research all of the other devices on the network and spread, using RDP again when it gets into one device.
Snake ransomware attacks have not been widespread. This indicates that the attack victim selection is not incidental or automated. That is, this system doesn’t just pass around the world hoping to gain access to any system. Businesses are targeted, and the initial access is probably implemented manually as an intrusion. The package for the ransomware is probably loaded onto at least one target on the victim network manually. Snake ransomware doesn’t need Administrator privileges, but if it is possible to break into an account with elevated privileges, it will use it.
What happens in a Snake ransomware attack?
Snake is looking for industrial applications that use a protocol called SCADA. Supervisory Control and Data Acquisition is used to control industrial equipment, check on sensors, control fluid processing, and operate electricity controls in substations. Rather than directly controlling those industrial devices, the Snake ransomware seeks to encrypt the control instructions by encrypting them.
When Snake ransomware identifies an industrial control system (ICS) running on an endpoint, it kills all monitoring and AV processes. It will also destroy all remote management systems and operating communications with shopfloor equipment. In addition, it terminates VM processes and most other network-related software.
The Snake ransomware isolates the device or the entire network by altering firewall rules to block all traffic except its own. Snake next deletes all shadow copies of files. These are the files created by the Autosave function in many applications.
The Snake encryption process
Once the initial preparation phase has been completed, Snake ransomware begins its encryption process. The targets for encryption are all data files. Executables and system files are not touched, so the computer will still be fully functional.
As each file is encrypted, the contents are saved with the original name to overwrite the stored file and make it unrecoverable. The file name is then changed with the step staying the same, but a random five-character string supplements the extension. So, for example, A4702.txt would become A4702.txtDfreG.
Snake ransomware generates a new encryption key for each file. It uses AES-256 encryption. An attack can result in many keys, which all need to be stored along with the original file names to be decrypted eventually. This information is written to a file. At the end of the encryption phase, the reference file is encrypted by an RSA-2048 cipher. The ransomware also appends the charters EKANS to the end of the file’s contents.
The encryption strategy for the Snake ransomware means that you could reverse the encryption if you could get into that file with the list of all of the AES encryption keys used during the attack. But, unfortunately, that file itself is encrypted.
You might be able to identify the encryption key for the RSA encryption. However, this will do you no good because the RSA system requires a key that is different from the encryption key to decrypt files. It isn’t possible to crack RSA-2048 keys through brute force. Therefore, you have two options after a Snake ransomware attack: pay the ransom or delete all encrypted files and restore from backup.
The Snake ransom
RSA encryption requires two keys: a public key for encryption and a private key for decryption. An exciting feature of Snake ransomware is that it doesn’t need the victim to pass a reference number to the hackers when negotiating the ransom. However, many hackers use RSA encryption for ransomware. The attack program either generates a reference number or shows the encryption key in the ransom note and tells the victim to copy this into communication with the hacker.
By using the public key as a reference, the hackers can reference the associated decryption key. Snake ransomware doesn’t require that. This shows that Snake is a very low volume targeted attack system. The hackers don’t expect their attack software to be propagating around the world, infecting systems opportunistically. They know exactly who is currently infected, and they are waiting to hear from someone from that one company. That’s why they don’t need a reference number.
The ransom note is left as a text file on the text file, called Fix-Your-Files.txt. The ransom note reads:
| What happened to your files?
We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos, and more -
all were encrypted using military-grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now. But don’t worry!
You can still get those files back and be up and running again in no time.
| How to contact us to get your files back?
The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network.
Once run on an affected computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, preferably with
better cybersecurity in mind. If you are interested in purchasing the decryption tool, contact us at firstname.lastname@example.org.
| How can you be sure we have the decryption tool?
In your mail to us, attach up to 3 files (up to 3MB, no databases or spreadsheets).
We will send them back to you decrypted.
The good news is that all industrial targets of Snake ransomware recovered from the attacks unscathed. None have admitted to paying the ransom.
Preventing Snake ransomware attacks
Step one in protecting your system from attack by Snake ransomware is to close all RDP ports. If you do need them to be open for remote operations, ensure that they are password protected. Industrial applications tend to be less security conscious than office systems. Suppose you run an automated manufacturing system that relies on unprotected RDP ports or RDP access with bog-standard passwords. In that case, you need to persuade your system provider to close up that weakness quickly or consider switching software.
Your second line of defense lies in tight account control and activity tracking. You should back up your manufacturing command files regularly. One benefit of industrial systems is that designs and machine instructions don’t change very frequently.
Ensure that you use backup management software that scans all files for malware infection before they are uploaded.
Tools for protection against Snake ransomware
When protecting against any ransomware attack, your key strategies need to be tight user account monitoring and a robust backup strategy. Here are four systems that you should look into to protect your system against Snake ransomware and all malicious activity.
ManageEngine Log360 is a threat intelligence platform that is an ideal defense against the intruder-driven attacks of Snake ransomware. This system includes a threat intelligence feed, and ManageEngine already knows how Snake ransomware operates so that the service will spot attacks easily. In addition, log360 functions as a SIEM, checking through log files for indicators of compromise.
- Collects logs
- Interfaces with operating systems
- Collects thyroid-party logs
- Consolidates logs
- Threat hunting
Why do we recommend it?
ManageEngine Log360 is a combination of log collectors and a SIEM. This system collects logs and consolidates them into a common format and then searches through the most recent records. All records are also filed and can be reloaded into the data viewer for examination. This service will spot a range of threats, including ransomware.
As well as gathering log files, this system pays close attention to Active Directory and the user account structure. The tool also covers cloud systems provided by AWS, Azure, and Exchange Online. Log360 also monitors and interacts with firewalls, so it will prevent the network isolation routine of Snake ransomware from happening.
Any of the typical events of Snake ransomware will trigger a search for subsequent actions. Snake uses a set of procedures, but because the attacks are usually very customized and manually implemented, those attack tools can get triggered in any order. Log360 is ready for that.
Who is it recommended for?
This service provides a good way for large businesses to simultaneously track activities on all assets all around the network. This type of system-wide view is necessary to catch systems like Snake quickly. The SIEM should be able to spot the scanning and lateral movement of the Snake system.
- Great dashboard visualizations, ideal for NOCs and MSPs
- Can integrate multiple threat data steams into the platform
- Offers robust searching of logs for live and historical event analysis
- Provides monitoring cross-platform for Windows, Linux, and Unix systems
- Can monitor configuration changes, preventing privilege escalation
- ManageEngine offers a suite of advanced services and features can time to explore and test out
Log360 is a software package that runs on Windows and Windows Server, and you can get a 30-day free trial of the tool. There is a permanently free version available that is limited to collecting log data from just five sources. The free trial is of the full version of Log360.
ManageEngine Endpoint Central provides monitoring and management for corporate fleet devices. This remit includes workstations, mobile devices, and IoT equipment. The Security Edition of the package has an Anti-Ransomware add-on available that includes file backup and process monitoring. This service is in addition to the vulnerability scanning, patch management, and data loss prevention features of the Security Edition.
- Operates on Windows PCs
- Server deployment as SaaS or on premises
- Scanning for ransomware
- File backups
- Automated remediation
Why do we recommend it?
ManageEngine Endpoint Central is a full package of device management services that extends to USB device tracking and print job monitoring. The Anti-Ransomware unit is an add-on for the Security Edition of the package. There are many methods to detect and block threats within the Security Edition and the Anti-Ransomware add-on provides extra protection.
Endpoint Central manages computers running Windows, macOS, and Linux and mobile devices and IoT equipment running Linux, Chrome OS, iOS, Android, and tvOS. Not all functions apply to every operating system. For example, the Patch Management service will only operate on PCs and Macs and the Anti-Ransomware service is only available for Windows.
The main features of the Anti-Ransomware add-on are a file backup service and constant process and file scanning. The service identifies unknown processes and triggers if one alters a file. When this happens. The tool shuts down the process and replaces the altered file with the backup version. You can define your authorized software as trusted and this prevents legitimate file changes from triggering the threat remediation actions.
Who is it recommended for?
The server and dashboard of Endpoint Central are available as a SaaS platform or as software for Windows Server. Every monitored endpoint needs an agent installed on it. There is a Free edition of Endpoint Central and four paid editions. However, you need the top plan, the Security Edition, in order to get the Anti-Ransomware unit.
- Vulnerability scanning and patch management
- File backups
- Process scanning for suspicious programs
- Automatically restores damaged files
- Compliance reporting
- Only works on Windows PCs
The Anti-Ransomware service is currently free to use because it is in pre-release, but ManageEngine will eventually levy a charge for it. You can only get this add-on with the Security Edition of Endpoint Central. You can get the Security Edition on a 30-day free trial on the SaaS version and with the on premises option. The Anti-Ransomeware service is also available during the free trial.
CrowdStrike Falcon Insight uses AI processes to monitor user account activity on endpoints and look for unexpected events on the endpoints. This machine learning strategy is called user and entity behavior analytics (UEBA) and is a key attribute of a next-generation antivirus system.
- Local AV
- Cloud-based SIEM
- Private threat intelligence
- Autonomous protection
Why do we recommend it?
CrowdStrike Falcon Insight provides another SIEM-like method to identify lateral movements or tampering on any endpoint. If a report uploaded by an endpoint indicates a threat, Insight can communicate the nature of that threat to all other devices. The endpoint agent is a full AV that can continue to work independently if communication with the cloud unit gets blocked – which is exactly what happens in a Snake attack.
Each device on your system will have a unit called Falcon Prevent installed on it. In addition, a coordinating module in the cloud, You should look into three systems the heart of the Falcon Insight system, which provides threat intelligence to the endpoint monitors.
This system can work even when all communications with the cloud controller get blocked by the Snake ransomware. The agent will identify the pre-attack activities of Snake ransomware, suspend the accounts that it has accessed, isolate the device from the network, and kill the ransomware processes.
Who is it recommended for?
This system is easy to expand because the system administrator just has to install the AV, called Falcon Prevent on a new computer to get that device included in Falcon Insight coverage. The INsight element is a cloud based system that can consolidate the detection data of many endpoints. Thus, this is a good solution for growing enterprises and large organizations.
- Excels in hybrid environments (Windows, Linux, Cloud, BYOD, etc)
- Intuitive admin console makes it easy to get started and is accessible in the cloud
- Can track and alert anomalous behavior over time, improves the longer it monitors the network
- Lightweight agents take up little system resources
- Would benefit from a longer trial period
You can get a 15-day free trial of Falcon Insight.
BitDefender GravityZone is a comprehensive package of security tools. It covers just about every aspect of system security that needs to be monitored to prevent a Snake ransomware attack. In addition, the package includes malware checks at many different points on the system, not just on endpoints.
GravityZone includes a vulnerability manager that will spot issues such as insecure ports and looking for out-of-date software versions. In addition, the bundle consists of a file integrity monitor that will trigger an alert as soon as encryption begins. However, all of the other firebreaks in the GravityZone package mean that Snake ransomware will never get that far into its attack cycle.
An essential module in the GravityZone package is its backup management system. Not only does this ensure that all of your files are available for recovery, but it pre-scans all files for malware infection before uploading them. This tool puts you in an excellent position for recovering from any ransomware attack without having to pay the ransom.
- Simple UI reduces the learning curve and helps users gain insights faster
- Uses both signature-based detection and behavior analysis to identify threats
- Offers disc encryption on top of endpoint protection
- Includes device control options for locking down USB ports
- Could use more documentation to help users get started quicker
GravityZone runs as a virtual appliance, and it is available for a one-month free trial.