This malware first appeared at the end of December last year, and its most interesting feature is that it is aimed at industrial control systems (PCS): not on individual machines, but on the entire network.
For the first time, a sample of this software, written in the Go programming language, was seen in commercial malware repositories. It is designed to complete certain processes on infected computers, including several processes related to NMC operations, as well as to delete shadow copies of volumes in order to eliminate Windows backups.
Although decryption is not currently available, systems running Acronis Active Protection – AI-based malware protection systems integrated into our cyber security solutions – successfully detect Snake as a “zero-day attack” and neutralize it.
The infection process and a number of technical details
The entry point for Snake is an insecure Remote Desktop Protocol (RDP) configuration. It is distributed through spam and malicious attachments, but can also be delivered via botnets, exploits packages malicious advertising, web injection, fake updates and repacked and infected installers.
According to our analysis, when executed, Snake deletes copies of the computer’s shadow volume, and then shuts down a number of processes related to supervisory control and data collection systems, virtual machines, industrial control systems, remote control tools, network management software, and so on. Removing Windows backups is a trend in the installation and expected functionality of any new ransomware program.
The ransomware program checks the victim’s mutex value “EKANS”. If any is malware stops with the message “Already encrypted!” (Already encrypted!). Otherwise, the mutex value is set, and encryption is performed using standard encryption libraries. The main functional on infected systems is achieved using requests through the Windows Management Interface (Windows Management Interface, WMI), which begins to perform encryption operations.
Before proceeding with file encryption operations, Snake stops (kills) any processes listed in a hard-coded list in the lines of the malicious program code. A complete list of process function or relationships is presented below:
When encrypting files on an infected machine, Snake will skip files located in the Windows system folders:
- : $ Recycle.Bin
- : ProgramData
- : Users All Users
- : Program Files
- : Local Settings
- : Boot
- : System Volume Information
- : Recovery
A random five-character string will be added to the encrypted file extension, as well as the file marker ‘EKANS’. The encryption process is generally slow and, in the case of actual infection, performed during off-hours.
After the encryption process is completed, the program leaves a ransom file called Fix-Your-Files.txt.
User access to the encrypted system is maintained throughout the process, the system does not restart, does not turn off, and does not close remote access channels. This distinguishes Snake / EKANS from more destructive ransomware such as LockerGoga. The ransomware program uses privacy-based CTemplar-based email similar to Protonmail.
Acronis Active Protection Detects Zero Day Attacks
Earlier, malware targeted at CSPs was developed exclusively under the auspices of government agencies, but now, with the advent of Snake / EKANS, it can be said that cybercriminals have joined the game seeking financial gain.
The malware vulnerability analysis process is still ongoing, but at the moment it is impossible to decrypt the files affected by it.
But there is good news: Acronis Active Protection is able to detect Snake and stop the malicious process in real time, as well as return all damaged files. You can imagine what damage this software can do if it gets into an industrial environment and paralyzes motion control systems or power plants.