A recently discovered file-encrypting ransomware is raising concerns for industrial control system (ICS) operators. Written in the Go language, SNAKE/EKANS ransomware attempts to extort its victims by encrypting their files, leaving those affected with few options other than to meet the hackers’ demands. The process kill list that it uses is similar to a variant of the MegaCortex ransomware that emerged as a threat in 2019.
Nozomi Networks Labs actively monitors and analyzes emerging threats. Here are our insights on SNAKE/EKANS, and our recommendations for protecting your ICS systems.
SNAKE/EKANS ransomware uses obfuscation to make analysis difficult. Processes typically found in industrial control system (ICS) environments are killed before file encryption begins.
Protecting Nozomi Networks Customers from Snake
When news of Snake first broke via a tweet on January 6th from ethical hacker Vitali Kremez (@VK_Intel), Nozomi Networks Labs researchers immediately reached out to our sources to collect a sample of the malicious malware for preliminary analysis.
The following day malware researcher sysopfb (@sysopfb) posted his notes on decoding the ransomware’s strings on GitHub. Using our own analysis in combination with the information shared by these researchers, on January 8th, Nozomi Networks Labs added Snake ransomware signatures and rules to our Threat Intelligence repository.
In Nozomi Networks’ analysis of the malware, we found that Snake doesn’t attempt to spread, but instead relies on manual propagation. Infection vectors include malicious email attachments and exploitation of unpatched or poorly secured services.
Initially, we noticed that the ransomware sample contained strings related to processes typically found in ICS environments. Upon further investigation, we discovered that the ransomware is able to kill various processes, some of which were ICS-related, and then attempt to encrypt any files it could access. The process list was very similar to the one used by MegaCortex, a ransomware that emerged in 2019. MegaCortex is also covered in Nozomi Networks Threat Intelligence service.
Due to the aggressive nature of the SNAKE/EKANS ransomware, it’s important to have multiple controls in place to prevent and detect this threat.
Preventing a Snake Attack
A successful ransomware attack can be extremely debilitating, leaving victims with no other option than to meet the hackers’ demands.
Enterprises should take the threat seriously and make sure their organization is following general security guidelines including particular diligence when it comes to:
- Mail content scanning and filtering to thwart malicious campaigns
- Security awareness among all employees to avoid falling victim to phishing campaigns
- Applying a health-check on your network infrastructure. It’s important to make sure that correct network segregation and firewall policies are in place
- Ensuring that all devices and services are patched and not vulnerable to known attacks
- Implementing a backup policy that supports quick access to impacted files
Due to the aggressive nature of the Snake ransomware, it’s important to have multiple controls in place to prevent and detect this threat. This includes continuous security awareness training for employees and personnel to help them better identify fake and malicious emails.
In addition to SPAM filters and firewalls, Nozomi Networks Labs recommends the use of both anomaly detection technologies to identify unusual behavior, and traditional threat detection capabilities to provide additional context around suspicious actors related to known threats.
Within 48 hours of the announcement of this threat, the Nozomi Networks Labs team added new rules and signatures to help detect Snake in our customers’ environments. This means that alerts will be triggered for suspicious activity related to the known threat, Snake, so they can quickly detect and remediate incidents. Customers using the Nozomi Networks Threat Intelligence service should make sure that their systems are running the latest version (as of January 9, 2020) to enable these new rules.
Read this document to learn how Threat Intelligence:
- Makes it easy to detect threats and identify vulnerabilities
- Notably reduces the time to detection, minimizing impacts
- Speeds response with prioritized alerts and actionable insights
Supply Chain and Persistent Ransomware Attacks Reach New Heights
- 7 trends defining today’s threat landscape
- 18 specific threats you need to know about
- Recent vulnerability research and exploitation trends
- 7 types of vulnerabilities under active exploitation
- 10 recommendations for securing OT/IoT networks
- Executive Brief: The Cost of OT Cybersecurity Incidents and How to Reduce Risk
- Blog: URGENT/11 New ICS Threat Signature by Nozomi Networks Labs
- Blog: New Switch Vulnerability Discovered by Nozomi Networks Labs
- Blog: Black Hat: The Future of Securing Power Grid Intelligent Devices
- Research Paper: GreyEnergy: Dissecting the Malware from Maldoc to Backdoor
- Webpage: Nozomi Networks Guardian
- Webpage: Nozomi Networks Labs
Security Research Manager, Nozomi Networks
Alessandro Di Pinto is an Offensive Security Certified Professional (OSCP) with an extensive background in malware analysis, ICS/SCADA security, penetration testing and incident response. He holds GIAC Reverse Engineering Malware (GREM) and GIAC Cyber Threat Intelligence (GCTI) certifications. Alessandro co-authored the research paper “TRITON: The First ICS Cyber Attack on Safety Instrument Systems” and “Analyzing the GreyEnergy Malware: from Maldoc to Backdoor”.