A recently discovered file-encrypting ransomware is raising concerns for industrial control system (ICS) operators. Written in the Go language, SNAKE/EKANS ransomware attempts to extort its victims by encrypting their files, leaving those affected with few options other than to meet the hackers’ demands. The process kill list that it uses is similar to a variant of the MegaCortex ransomware that emerged as a threat in 2019.
Nozomi Networks Labs actively monitors and analyzes emerging threats. Here are our insights on SNAKE/EKANS, and our recommendations for protecting your ICS systems.
Protecting Nozomi Networks Customers from Snake
When news of Snake first broke via a tweet on January 6th from ethical hacker Vitali Kremez (@VK_Intel), Nozomi Networks Labs researchers immediately reached out to our sources to collect a sample of the malicious malware for preliminary analysis.
The following day malware researcher sysopfb (@sysopfb) posted his notes on decoding the ransomware’s strings on GitHub. Using our own analysis in combination with the information shared by these researchers, on January 8th, Nozomi Networks Labs added Snake ransomware signatures and rules to our Threat Intelligence repository.
What Nozomi Networks Labs Discovered About Snake
In Nozomi Networks’ analysis of the malware, we found that Snake doesn’t attempt to spread, but instead relies on manual propagation. Infection vectors include malicious email attachments and exploitation of unpatched or poorly secured services.
Initially, we noticed that the ransomware sample contained strings related to processes typically found in ICS environments. Upon further investigation, we discovered that the ransomware is able to kill various processes, some of which were ICS-related, and then attempt to encrypt any files it could access. The process list was very similar to the one used by MegaCortex, a ransomware that emerged in 2019. MegaCortex is also covered in Nozomi Networks Threat Intelligence service.
Preventing a Snake Attack
A successful ransomware attack can be extremely debilitating, leaving victims with no other option than to meet the hackers’ demands.
Enterprises should take the threat seriously and make sure their organization is following general security guidelines including particular diligence when it comes to:
- Mail content scanning and filtering to thwart malicious campaigns
- Security awareness among all employees to avoid falling victim to phishing campaigns
- Applying a health-check on your network infrastructure. It’s important to make sure that correct network segregation and firewall policies are in place
- Ensuring that all devices and services are patched and not vulnerable to known attacks
- Implementing a backup policy that supports quick access to impacted files
Due to the aggressive nature of the Snake ransomware, it’s important to have multiple controls in place to prevent and detect this threat. This includes continuous security awareness training for employees and personnel to help them better identify fake and malicious emails.
In addition to SPAM filters and firewalls, Nozomi Networks Labs recommends the use of both anomaly detection technologies to identify unusual behavior, and traditional threat detection capabilities to provide additional context around suspicious actors related to known threats.
Within 48 hours of the announcement of this threat, the Nozomi Networks Labs team added new rules and signatures to help detect Snake in our customers’ environments. This means that alerts will be triggered for suspicious activity related to the known threat, Snake, so they can quickly detect and remediate incidents. Customers using the Nozomi Networks Threat Intelligence service should make sure that their systems are running the latest version (as of January 9, 2020) to enable these new rules.