Home Malware Programs Ransomware SNAKE Ransomware

SNAKE Ransomware

Posted: January 8, 2020

The SNAKE Ransomware is a file-locking Trojan family that blocks digital media files by encrypting them and sells the unlocking decryptor through a ransoming service. The SNAKE Ransomware campaign is targeting enterprise-level corporate networks currently, which it could be compromising through brute-forcing logins or exploiting e-mail tactics. Victims should quarantine or delete the SNAKE Ransomware on sight through appropriate anti-malware solutions and maintain rigorous backups for recovery.

Unexpected Pokemon References in a Corporate Raider

Gangs related to the Pokemon multimedia franchise possibly are showing up in unusual places – such as the latest corporation-raiding Trojan's campaign. The Trojan family in question, the SNAKE Ransomware, is poising itself for competing alongside similar threats like the Scarab Ransomware or the Globe Ransomware, by extorting money from corporate entities. It does so through, as usual, locking files on infected computers and asking for a ransom before giving up the unlocker.

The SNAKE Ransomware is written in Golang or Go, a programming language it shares with the Sednit variant of Zebrocy Go, as well as the JCry Ransomware, among others. In a live infection scenario, malware researchers outline its payload's progression as follows:

  • One of the SNAKE Ransomware's first features attends to backups, such as the Shadow Volume Copies. The deletion of this data prevents any data recovery through 'obvious' means like the Restore Points.
  • Then, the Trojan progresses with a feature that more-sophisticated Trojan families utilize: auto-terminating memory processes associated with widely-used VMs, security utilities, SCADA controls, and network management applications.
  • Only after these precautions are in place does the SNAKE Ransomware start encrypting files, which includes all networked drives, not just a single PC and its local ones. The routine converts portions of file data through an encryption algorithm, implanting an 'EKANS' marker into them, and adding the same text as the marker into names as extensions. Besides being 'snake' backward, 'EKANS' also is a name of a well-known monster from the Pokemon franchise – making for a surprisingly tongue-in-cheek reference in an otherwise-businesslike Trojan.

The SNAKE Ransomware also creates an English text message on the user's desktop. In this area, malware experts see little innovation. The threat actors are sticking to the standards of offering three-file 'demonstrations' for free and providing e-mail addresses without the unlocker's ransoming price upfront. The average ransoms aiming at corporate-level victims tend towards several thousand dollars, at a minimum.

The Best Antivenom for a Backwards Snake in the Grass

Despite its high-level profiteering, the SNAKE Ransomware is vulnerable to the precautions that networks already should make against every other file-locking Trojan family, such as the long-running Dharma Ransomware or even Hidden Tear. Security steps like multi-factor authentication and restricted administrative privileges can limit the Trojan's access to other media, such as non-local backups. Because the development of a freeware decryptor for the SNAKE Ransomware is unlikely, all administrators and workers should have alternate means of crucial data restoration as appropriate.

Some infection vectors for the SNAKE Ransomware's enterprise-level campaigns are more likely than others. Threat actors can compromise networks through abusing open RDP settings, brute-forcing their way into acquiring login credentials, or sending e-mail phishing lures. In that last case, malware experts recommend watching for any attachments, such as PDFs, spreadsheets, or DOCs, with embedded macro content particularly.

Anti-malware solutions, if using their latest databases, should prove effective at deterring infections or removing the SNAKE Ransomware afterward in worst-case scenarios.

The SNAKE Ransomware's entry into the field has a lot to prove against well-established competitors, but it's already making headway. Hopefully, more companies than not are responding by falling back to their backups instead of giving up a ransom to this serpentine software.

Related Posts

Loading...