Snake (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.snake (Back to overview)

Snake

aka: EKANS, SNAKEHOSE

VTCollection

Snake Ransomware is a Golang ransomware reportedly containing obfuscation not typically seen in Golang ransomware. This malware will remove shadow copies and kill processes related to SCADA/ICS devices, virtual machines, remote management tools, network management software, and others. After this, encryption of files on the device commences, while skipping Windows system folders and various system files. A random 5 character string is appended to encrypted files. According to Bleeping Computer, this ransomware takes an especially long time to encrypt files on a targeted machine. This ransomware is reported to target an entire network, rather than individual workstations.

References

2022-08-03 ⋅ 0ffset Blog ⋅ Gabriele Orini
Reversing Golang Developed Ransomware: SNAKE
Snake

2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy

2021-03-17 ⋅ GoggleHeadedHacker Blog ⋅ Jacob Pimental
Automatic Gobfuscator Deobfuscation with EKANS Ransomware
Snake

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich
Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake

2020-11-12 ⋅ Dragos ⋅ Dragos
Cyber Threat Perspective MANUFACTURING SECTOR
Industroyer Snake

2020-09-24 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT
Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake

2020-07-15 ⋅ Mandiant ⋅ Corey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake

2020-07-14 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake

2020-07-01 ⋅ Fortinet ⋅ Ben Hunter, Fred Gutierrez
EKANS Ransomware Targeting OT ICS Systems
Snake

2020-06-18 ⋅ Dragos ⋅ Joe Slowik
EKANS Ransomware Misconceptions and Misunderstandings
Snake

2020-06-17 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT
Targeted attacks on industrial companies using Snake ransomware
Snake

2020-06-11 ⋅ Twitter (@bad_packets) ⋅ Bad Packets Report
Tweet on Honda & Enel Critix(NetScaler) VPN server vulnerable to CVE-2019-19781, possibly targeted by SNAKE ransomware
Snake

2020-06-09 ⋅ Malwarebytes ⋅ Threat Intelligence Team
Honda and Enel impacted by cyber attack suspected to be ransomware
Snake

2020-06-08 ⋅ Twitter (@milkr3am) ⋅ milkream
First public tweet on cyber incident that Honda & Enelint was hit by Snake/Ekans ransomware
Snake

2020-06-08 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Honda investigates possible ransomware attack, networks impacted
Snake

2020-05-15 ⋅ Nishan Maharjan
Malware Analysis: Snake Ransomware
Snake

2020-05-06 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware
Snake

2020-05-01 ⋅ CCN-CERT ⋅ CCN-CERT
Malware report CCN-CERT ID-15/20 Snake Locker
Snake

2020-03-23 ⋅ Carnegie Mellon University ⋅ Kyle O'Meara
Snake Ransomware Analysis Updates
Snake

2020-02-03 ⋅ Dragos ⋅ Dragos
EKANS Ransomware and ICS Operations
Snake

2020-01-23 ⋅ SentinelOne ⋅ Jim Walter
New Snake Ransomware Adds Itself to the Increasing Collection of Golang Crimeware
Snake

2020-01-10 ⋅ Github (albertzsigovits) ⋅ Albert Zsigovits
SNAKE / EKANS ransomware
Snake

2020-01-08 ⋅ Bleeping Computer ⋅ Lawrence Abrams
SNAKE Ransomware Is the Next Threat Targeting Business Networks
Snake

Yara Rules

[TLP:WHITE] win_snake_auto (20201014 | autogenerated rule brought to you by yara-signator)

rule win_snake_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snake"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4c2408 8b54240c 85c9 7552 8400 8d480c 890c24 }
            // n = 7, score = 200
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   85c9                 | test                ecx, ecx
            //   7552                 | jne                 0x54
            //   8400                 | test                byte ptr [eax], al
            //   8d480c               | lea                 ecx, [eax + 0xc]
            //   890c24               | mov                 dword ptr [esp], ecx

        $sequence_1 = { 894c2404 c744240803000000 c744240c03000000 e8???????? 8b442418 8b4c241c 8b542410 }
            // n = 7, score = 200
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   c744240803000000     | mov                 dword ptr [esp + 8], 3
            //   c744240c03000000     | mov                 dword ptr [esp + 0xc], 3
            //   e8????????           |                     
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]

        $sequence_2 = { 8402 8401 8b4c2410 8b5c2414 8b6c240c 8b742434 eb10 }
            // n = 7, score = 200
            //   8402                 | test                byte ptr [edx], al
            //   8401                 | test                byte ptr [ecx], al
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   8b6c240c             | mov                 ebp, dword ptr [esp + 0xc]
            //   8b742434             | mov                 esi, dword ptr [esp + 0x34]
            //   eb10                 | jmp                 0x12

        $sequence_3 = { c7042401000000 c644240400 8b442420 89442408 e8???????? 8b44240c 8b4c2414 }
            // n = 7, score = 200
            //   c7042401000000       | mov                 dword ptr [esp], 1
            //   c644240400           | mov                 byte ptr [esp + 4], 0
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   e8????????           |                     
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]

        $sequence_4 = { 85c0 0f85c2070000 890d???????? e8???????? 8b05???????? 8b0c24 8b542404 }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   0f85c2070000         | jne                 0x7c8
            //   890d????????         |                     
            //   e8????????           |                     
            //   8b05????????         |                     
            //   8b0c24               | mov                 ecx, dword ptr [esp]
            //   8b542404             | mov                 edx, dword ptr [esp + 4]

        $sequence_5 = { 8b442418 8b4c2410 8b542414 8b5c241c 85c0 0f854f010000 8944243c }
            // n = 7, score = 200
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   8b5c241c             | mov                 ebx, dword ptr [esp + 0x1c]
            //   85c0                 | test                eax, eax
            //   0f854f010000         | jne                 0x155
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax

        $sequence_6 = { 89442434 890424 8b4c2430 894c2404 e8???????? 8b442434 ebce }
            // n = 7, score = 200
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   890424               | mov                 dword ptr [esp], eax
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   e8????????           |                     
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]
            //   ebce                 | jmp                 0xffffffd0

        $sequence_7 = { 894c2408 8954240c 89442410 e8???????? 8b4c2414 8b54241c 8b442424 }
            // n = 7, score = 200
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   8954240c             | mov                 dword ptr [esp + 0xc], edx
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   e8????????           |                     
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]

        $sequence_8 = { e8???????? 8b05???????? 8b4c2408 85c0 750d 890d???????? 81c408010000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b05????????         |                     
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   890d????????         |                     
            //   81c408010000         | add                 esp, 0x108

        $sequence_9 = { c744241400000000 8b842480000000 8b8c2484000000 8b542470 8b9c248c000000 31ed eb03 }
            // n = 7, score = 200
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   8b842480000000       | mov                 eax, dword ptr [esp + 0x80]
            //   8b8c2484000000       | mov                 ecx, dword ptr [esp + 0x84]
            //   8b542470             | mov                 edx, dword ptr [esp + 0x70]
            //   8b9c248c000000       | mov                 ebx, dword ptr [esp + 0x8c]
            //   31ed                 | xor                 ebp, ebp
            //   eb03                 | jmp                 5

    condition:
        7 of them and filesize < 8134656
}

Download all Yara Rules

Snake Propose Change

References

Yara Rules

Snake