SentinelLabs reports it has observed a new ransomware, called “Snake,” in targeted campaigns over the last month. According to SentinelLabs, Snake stands out among current ransomware variants for being more aggressive and more complex. Upon infection, relevant files are overwritten with encrypted data. Each modified file is also tagged with the string “EKANS” (Snake backwards). In addition, the names of modified files are appended with random characters, rather than a singular or uniform extension change. This, in theory, makes it more difficult to identify the specific ransomware family simply by the file extensions. The actual encryption process is achieved via a mix of symmetric and asymmetric cryptography. A symmetric key is required for encrypting and decrypting of files. The symmetric key is encrypted with the attacker’s public key. Decryption is only possible using the attacker’s private key. This mixture, along with the key lengths, aims to make 3rd party decryption difficult or impossible. As with most modern ransomware, Snake attempts to remove Volume Shadow Copies that the operating system uses for backup. The ransomware also attempts to terminate various processes. It appears to be targeting those associated with SCADA platforms, enterprise management tools, system utilities and the like. Some specifically targeted applications include VMware Tools, Microsoft System Center Operations Manager, Nimbus, Honeywell HMIWeb, FLEXnet, and more. Snake, like other targeted ransomware campaigns, has the potential to do serious and critical damage to an infected environment. The article recommends system administrators stay aware and vigilant for this kind of attack, advocating for having a functional and well-tested backup as part of business continuity and disaster recovery plan. It also includes an indicator of compromise. Read the article at SentinelLabs.
H2Oex: In Person 1 day event/exercise. Thurs Dec 5th. Washington DC. Join us!