SYMBOLCOMMON_NAMEaka. SYNONYMS
win.snake (Back to overview)

Snake Ransomware

aka: EKANS, SNAKEHOSE

Snake Ransomware is a Golang ransomware reportedly containing obfuscation not typically seen in Golang ransomware. This malware will remove shadow copies and kill processes related to SCADA/ICS devices, virtual machines, remote management tools, network management software, and others. After this, encryption of files on the device commences, while skipping Windows system folders and various system files. A random 5 character string is appended to encrypted files. According to Bleeping Computer, this ransomware takes an especially long time to encrypt files on a targeted machine. This ransomware is reported to target an entire network, rather than individual workstations.

References
2021-03-17GoggleHeadedHacker BlogJacob Pimental
@online{pimental:20210317:automatic:04d3eda, author = {Jacob Pimental}, title = {{Automatic Gobfuscator Deobfuscation with EKANS Ransomware}}, date = {2021-03-17}, organization = {GoggleHeadedHacker Blog}, url = {https://www.goggleheadedhacker.com/blog/post/22}, language = {English}, urldate = {2021-03-19} } Automatic Gobfuscator Deobfuscation with EKANS Ransomware
Snake Ransomware
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti Ransomware DoppelPaymer Egregor LockBit Maze REvil Snake Ransomware
2020-11-12DragosDragos
@techreport{dragos:20201112:cyber:cf5b4fd, author = {Dragos}, title = {{Cyber Threat Perspective MANUFACTURING SECTOR}}, date = {2020-11-12}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf}, language = {English}, urldate = {2020-11-18} } Cyber Threat Perspective MANUFACTURING SECTOR
Industroyer Snake Ransomware
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake Ransomware
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Ransomware Snake Ransomware
2020-07-14CrowdStrikeFalcon OverWatch Team
@online{team:20200714:manufacturing:3e552ec, author = {Falcon OverWatch Team}, title = {{Manufacturing Industry in the Adversaries’ Crosshairs}}, date = {2020-07-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/}, language = {English}, urldate = {2020-07-23} } Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake Ransomware
2020-07-01FortinetBen Hunter, Fred Gutierrez
@online{hunter:20200701:ekans:46605bc, author = {Ben Hunter and Fred Gutierrez}, title = {{EKANS Ransomware Targeting OT ICS Systems}}, date = {2020-07-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems}, language = {English}, urldate = {2020-07-06} } EKANS Ransomware Targeting OT ICS Systems
Snake Ransomware
2020-06-18DragosJoe Slowik
@online{slowik:20200618:ekans:e768da1, author = {Joe Slowik}, title = {{EKANS Ransomware Misconceptions and Misunderstandings}}, date = {2020-06-18}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/}, language = {English}, urldate = {2020-06-19} } EKANS Ransomware Misconceptions and Misunderstandings
Snake Ransomware
2020-06-17Kaspersky LabsKaspersky Lab ICS CERT
@online{cert:20200617:targeted:4a2a126, author = {Kaspersky Lab ICS CERT}, title = {{Targeted attacks on industrial companies using Snake ransomware}}, date = {2020-06-17}, organization = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/}, language = {English}, urldate = {2020-06-18} } Targeted attacks on industrial companies using Snake ransomware
Snake Ransomware
2020-06-11Twitter (@bad_packets)Bad Packets Report
@online{report:20200611:honda:04a1b7c, author = {Bad Packets Report}, title = {{Tweet on Honda & Enel Critix(NetScaler) VPN server vulnerable to CVE-2019-19781, possibly targeted by SNAKE ransomware}}, date = {2020-06-11}, organization = {Twitter (@bad_packets)}, url = {https://twitter.com/bad_packets/status/1270957214300135426}, language = {English}, urldate = {2020-06-12} } Tweet on Honda & Enel Critix(NetScaler) VPN server vulnerable to CVE-2019-19781, possibly targeted by SNAKE ransomware
Snake Ransomware
2020-06-09MalwarebytesThreat Intelligence Team
@online{team:20200609:honda:a44da80, author = {Threat Intelligence Team}, title = {{Honda and Enel impacted by cyber attack suspected to be ransomware}}, date = {2020-06-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/}, language = {English}, urldate = {2020-06-10} } Honda and Enel impacted by cyber attack suspected to be ransomware
Snake Ransomware
2020-06-08Bleeping ComputerIonut Ilascu
@online{ilascu:20200608:honda:59ddaf6, author = {Ionut Ilascu}, title = {{Honda investigates possible ransomware attack, networks impacted}}, date = {2020-06-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/}, language = {English}, urldate = {2020-06-10} } Honda investigates possible ransomware attack, networks impacted
Snake Ransomware
2020-06-08Twitter (@milkr3am)milkream
@online{milkream:20200608:first:5a359a9, author = {milkream}, title = {{First public tweet on cyber incident that Honda & Enelint was hit by Snake/Ekans ransomware}}, date = {2020-06-08}, organization = {Twitter (@milkr3am)}, url = {https://twitter.com/milkr3am/status/1270019326976786432}, language = {English}, urldate = {2020-06-11} } First public tweet on cyber incident that Honda & Enelint was hit by Snake/Ekans ransomware
Snake Ransomware
2020-05-15Nishan Maharjan
@online{maharjan:20200515:malware:8c6907f, author = {Nishan Maharjan}, title = {{Malware Analysis: Snake Ransomware}}, date = {2020-05-15}, url = {https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017}, language = {English}, urldate = {2020-05-19} } Malware Analysis: Snake Ransomware
Snake Ransomware
2020-05-06KrebsOnSecurityBrian Krebs
@online{krebs:20200506:europes:2f8ce94, author = {Brian Krebs}, title = {{Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware}}, date = {2020-05-06}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware}, language = {English}, urldate = {2020-05-13} } Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware
Snake Ransomware
2020-05CCN-CERTCCN-CERT
@online{ccncert:202005:malware:e6aed81, author = {CCN-CERT}, title = {{Malware report CCN-CERT ID-15/20 Snake Locker}}, date = {2020-05}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html}, language = {English}, urldate = {2020-06-10} } Malware report CCN-CERT ID-15/20 Snake Locker
Snake Ransomware
2020-03-23Carnegie Mellon UniversityKyle O'Meara
@online{omeara:20200323:snake:67fbc1b, author = {Kyle O'Meara}, title = {{Snake Ransomware Analysis Updates}}, date = {2020-03-23}, organization = {Carnegie Mellon University}, url = {https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html}, language = {English}, urldate = {2020-03-28} } Snake Ransomware Analysis Updates
Snake Ransomware
2020-02-03DragosDragos
@online{dragos:20200203:ekans:041a3ee, author = {Dragos}, title = {{EKANS Ransomware and ICS Operations}}, date = {2020-02-03}, organization = {Dragos}, url = {https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/}, language = {English}, urldate = {2020-02-04} } EKANS Ransomware and ICS Operations
Snake Ransomware
2020-01-23SentinelOneJim Walter
@online{walter:20200123:new:8d4a9c2, author = {Jim Walter}, title = {{New Snake Ransomware Adds Itself to the Increasing Collection of Golang Crimeware}}, date = {2020-01-23}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/}, language = {English}, urldate = {2020-01-27} } New Snake Ransomware Adds Itself to the Increasing Collection of Golang Crimeware
Snake Ransomware
2020-01-10Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200110:snake:cd5131a, author = {Albert Zsigovits}, title = {{SNAKE / EKANS ransomware}}, date = {2020-01-10}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Snake.md}, language = {English}, urldate = {2020-01-14} } SNAKE / EKANS ransomware
Snake Ransomware
2020-01-08Bleeping ComputerLawrence Abrams
@online{abrams:20200108:snake:aaf992f, author = {Lawrence Abrams}, title = {{SNAKE Ransomware Is the Next Threat Targeting Business Networks}}, date = {2020-01-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/}, language = {English}, urldate = {2020-01-12} } SNAKE Ransomware Is the Next Threat Targeting Business Networks
Snake Ransomware
Yara Rules
[TLP:WHITE] win_snake_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_snake_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snake"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4c2408 8b54240c 85c9 7552 8400 8d480c 890c24 }
            // n = 7, score = 200
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   85c9                 | test                ecx, ecx
            //   7552                 | jne                 0x54
            //   8400                 | test                byte ptr [eax], al
            //   8d480c               | lea                 ecx, [eax + 0xc]
            //   890c24               | mov                 dword ptr [esp], ecx

        $sequence_1 = { 894c2404 c744240803000000 c744240c03000000 e8???????? 8b442418 8b4c241c 8b542410 }
            // n = 7, score = 200
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   c744240803000000     | mov                 dword ptr [esp + 8], 3
            //   c744240c03000000     | mov                 dword ptr [esp + 0xc], 3
            //   e8????????           |                     
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]

        $sequence_2 = { 8402 8401 8b4c2410 8b5c2414 8b6c240c 8b742434 eb10 }
            // n = 7, score = 200
            //   8402                 | test                byte ptr [edx], al
            //   8401                 | test                byte ptr [ecx], al
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   8b6c240c             | mov                 ebp, dword ptr [esp + 0xc]
            //   8b742434             | mov                 esi, dword ptr [esp + 0x34]
            //   eb10                 | jmp                 0x12

        $sequence_3 = { c7042401000000 c644240400 8b442420 89442408 e8???????? 8b44240c 8b4c2414 }
            // n = 7, score = 200
            //   c7042401000000       | mov                 dword ptr [esp], 1
            //   c644240400           | mov                 byte ptr [esp + 4], 0
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   e8????????           |                     
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]

        $sequence_4 = { 85c0 0f85c2070000 890d???????? e8???????? 8b05???????? 8b0c24 8b542404 }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   0f85c2070000         | jne                 0x7c8
            //   890d????????         |                     
            //   e8????????           |                     
            //   8b05????????         |                     
            //   8b0c24               | mov                 ecx, dword ptr [esp]
            //   8b542404             | mov                 edx, dword ptr [esp + 4]

        $sequence_5 = { 8b442418 8b4c2410 8b542414 8b5c241c 85c0 0f854f010000 8944243c }
            // n = 7, score = 200
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   8b5c241c             | mov                 ebx, dword ptr [esp + 0x1c]
            //   85c0                 | test                eax, eax
            //   0f854f010000         | jne                 0x155
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax

        $sequence_6 = { 89442434 890424 8b4c2430 894c2404 e8???????? 8b442434 ebce }
            // n = 7, score = 200
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   890424               | mov                 dword ptr [esp], eax
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   e8????????           |                     
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]
            //   ebce                 | jmp                 0xffffffd0

        $sequence_7 = { 894c2408 8954240c 89442410 e8???????? 8b4c2414 8b54241c 8b442424 }
            // n = 7, score = 200
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   8954240c             | mov                 dword ptr [esp + 0xc], edx
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   e8????????           |                     
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]

        $sequence_8 = { e8???????? 8b05???????? 8b4c2408 85c0 750d 890d???????? 81c408010000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b05????????         |                     
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   890d????????         |                     
            //   81c408010000         | add                 esp, 0x108

        $sequence_9 = { c744241400000000 8b842480000000 8b8c2484000000 8b542470 8b9c248c000000 31ed eb03 }
            // n = 7, score = 200
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   8b842480000000       | mov                 eax, dword ptr [esp + 0x80]
            //   8b8c2484000000       | mov                 ecx, dword ptr [esp + 0x84]
            //   8b542470             | mov                 edx, dword ptr [esp + 0x70]
            //   8b9c248c000000       | mov                 ebx, dword ptr [esp + 0x8c]
            //   31ed                 | xor                 ebp, ebp
            //   eb03                 | jmp                 5

    condition:
        7 of them and filesize < 8134656
}
Download all Yara Rules