Threat Management, Malware, Ransomware

Snake ransomware tries to slither its way into enterprise networks

Add yet another malicious encryption program to the expanding ranks of ransomware programs that target large enterprise networks in hopes of scoring big financial payoffs.

The latest such threat is called Snake, a ransomware program written in the Go programming language, with an unusually high level of obfuscation. It was discovered by researchers at MalwareHunterTeam; analyzed by Vitali Kremez, head of SentinelLabs at SentinelOne; and reported by BleepingComputer.

As Snake encrypts each network file, it reportedly appends a random five-character string to the extension, and then within each file it appends the file marker "EKANS" (SNAKE spelled backwards). Certain Windows system folders and system files are ignored by the ransomware, including windir, SystemDrive, :$Recycle.Bin, :ProgramData, :UsersAll Users, :Program Files, :Local Settings, :Boot, :System Volume Information, :Recovery and AppData.

Before the encryption begins, it removes shadow copies to thwart recovery efforts, and "kills numerous process related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software and more," wrote BleepingComputer creator Lawrence Abrams in a Jan. 8 report.

The ransom note, named Fix-Your-Files.txt and found in the desktop folder, provides the victim with an email address to contact for payment instructions. It also says the victim can attach up to three files, 3 MB in size or less, for the attackers to decrypt, as supposed proof that the files can be recovered.

"What happened to your files? We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more - all were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now," the note states. "The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network. Once run on an effected [sic] computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, preferably with better cyber security in mind," it continues.

"The ransomware contains a level of routine obfuscation not previously and typically seen coupled with the targeted approach," Kremez, Head of SentinelLabs, told BleepingComputer in a conversation.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.