SNAKE Ransomware

First observed in January 2020, SNAKE (also known as EKANS) is a Go-based ransomware targeting organisations worldwide. Believed to be based on the older MegaCortex ransomware, SNAKE is also notable for affecting SCADA and industrial control systems (ICS), with evidence to suggest it is specifically targeting organisations using these products.

Threat ID:: CC-3333
Category:: Ransomware
Threat Severity:: Medium
Threat Vector:
Published:: 9 January 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All Versions

Threat details

SNAKE is delivered manually following a period of extensive network reconnaissance by its operators, with initial access achieved via exposed RDP or ICS services. The operators will also attempt to extract sensitive information during this time, later using it to coerce affected organisations to meet their ransom demands.

When started SNAKE removes Volume Shadow Copies before terminating virtual machines, ICS, remote management tools, and network management software processes. It then encrypts non-system files on the device, before appending a random 5 character string to the file extension.

Remediation steps

Type	Step
	If a device on your network becomes infected with ransomware it will begin encrypting local machine files and files on any network the logged-in user has permission to access. For system administration accounts this may include backup storage locations. To avoid becoming infected with ransomware, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned based on the principle of least privilege. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security. Identifying the source of infection: Identifying the affected device and disconnecting or quarantining it from the network is essential to damage limitation. Users should immediately report infections to their IT support provider, disconnect their network cable and power the computer down. File auditing should be enabled, and file server logs should be monitored to detect signs of unauthorised encryption and allow the source of encryption to be identified (i.e. the infected device). To limit the damage of ransomware and enable recovery: All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware. Multiple backups should be created including at least one off-network backup (e.g. to tape). The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup

Type

Step

If a device on your network becomes infected with ransomware it will begin encrypting local machine files and files on any network the logged-in user has permission to access. For system administration accounts this may include backup storage locations.

To avoid becoming infected with ransomware, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned based on the principle of least privilege.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Identifying the source of infection:

Identifying the affected device and disconnecting or quarantining it from the network is essential to damage limitation.
Users should immediately report infections to their IT support provider, disconnect their network cable and power the computer down.
File auditing should be enabled, and file server logs should be monitored to detect signs of unauthorised encryption and allow the source of encryption to be identified (i.e. the infected device).

To limit the damage of ransomware and enable recovery:

All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware.

Multiple backups should be created including at least one off-network backup (e.g. to tape).

The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup

Indicators of compromise

Main indicators

Email Addresses

[email protected]

Filepaths

C:\Users\Public\Desktop\Fix-Your-Files.txt

MD5 File Hashes

2320d57414c3af6bcbedaac414bc8a7a
3d1cc4ef33bad0e39c757fce317ef82a
47ebe9f8f5f73f07d456ec12bb49c75d
53dddbb304c79ae293f98e0b151c6b28
7c046d183d77a8de253040868db283f2
d659325ea3491708820a2beffe9362b8

SHA1 File Hashes

2632529b0fb7ed46461c406f733c047a6cd4c591
f34e4b7080aa2ee5cfee2dac38ec0c306203b4ac

SHA256 File Hashes

01611e16f573da2c9dbc7acdd445d84bae71fecf2927753e341d8a5652b89a68
09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138
0ce78efa764ce1e7fb92c4de351ec1113f3e2ca4b2932feef46d7d62d6ae87f5
18c277c7953983f45f2fe6ab4c7d872b2794c256604e43500045cb2b2084103f
2ed3e37608e65be8b6e8c59f8c93240bd0efe9a60c08c21f4889c00eb6082d74
4e78a26832a0d471922eb61231bc498463337fed8874db5f70b17dd06dcb9f09
6f1a1dbeb5b28c80ddc51b77a83c7a27b045309c4f1bff48aaff7d79dfd4eb26
780936deb27be5dceea20a5489014236796a74cc967a12e36cb56d9b8df9bc86
873aa376573288fcf56711b5689f9d2cf457b76bbc93d4e40ef9d7a27b7be466
8b2271938c524dd1064e74717b82e48b778e49e26b5ac2dae8856555b5489131
a5a7e6ddf99634a253a060adb1f0871a5a861624382e8ca6d086e54f03bed493
b4822eeb71c83e4aab5ddfecfb58459e5c5e10d382a2364da1c42621f58e119b
e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60

Last edited: 29 June 2021 12:00 pm