SNAKE Ransomware Targeting Entire Corporate Networks
Security researchers have observed samples of the new SNAKE ransomware family targeting organizations’ entire corporate networks.
Discovered by MalwareHunterTeam and analyzed by Vitali Kremez, SNAKE is written in Golang and contains a high level of obfuscation.
Upon successful infection, the ransomware deletes the machine’s Shadow Volume Copies before terminating various processes associated with SCADA systems, network management solutions, virtual machines and other tools. It then proceeds to encrypt the machine’s files while skipping over important Windows folders and system files. As part of this process, it appends “EKANS” as a file marker along with a five-character string to the file extension of each file it encrypts.
The threat wraps up its encryption routine by dropping a ransom note entitled “Fix-Your-Files.txt” in the C:\Users\Public\Desktop folder. This ransom note instructs victims to contact “bapcocrypt@ctemplar.com” in order to purchase a decryption tool.
That’s not all the ransom note says. Bleeping Computer points this out in a blog post on SNAKE:
As you can see from the language in the ransom note, this ransomware specifically targets the entire network rather than individual workstations. They further indicate that any decryptor that is purchased will be for the network and not individual machines, but it is too soon to tell if they would make an exception.
SNAKE isn’t the first ransomware that’s directed its focus to entire corporate networks. Back in March 2019, for instance, researchers discovered a new variant of the CryptoMix Clop ransomware family that claimed to target entire networks instead of individual users’ machines. A few months later, the security community learned of a new crypto-ransomware threat called “TFlower” targeting corporate environments via exposed Remote Desktop Services (RDS).
The emergence of SNAKE ransomware highlights the need for organizations to defend themselves against a ransomware infection. They can use these recommendations to prevent a ransomware infection in the first place. They should also consider investing in a solution like Tripwire File Analyzer for the purpose of detecting suspicious files and behavior on the network.
English
Afrikaans
Albanian
Arabic
Bosnian
Bulgarian
Chinese (Simplified)
Chinese (Traditional)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Galician
Georgian
German
Greek
Haitian Creole
Hawaiian
Hebrew
Hindi
Hungarian
Icelandic
Indonesian
Irish
Italian
Japanese
Javanese
Korean
Kurdish (Kurmanji)
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Malay
Malayalam
Maltese
Mongolian
Nepali
Norwegian
Persian
Polish
Portuguese
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Vietnamese
Welsh
Yiddish