SYMBOLCOMMON_NAMEaka. SYNONYMS
win.snake (Back to overview)

Snake Ransomware

aka: EKANS, SNAKEHOSE

Snake Ransomware is a Golang ransomware reportedly containing obfuscation not typically seen in Golang ransomware. This malware will remove shadow copies and kill processes related to SCADA/ICS devices, virtual machines, remote management tools, network management software, and others. After this, encryption of files on the device commences, while skipping Windows system folders and various system files. A random 5 character string is appended to encrypted files. According to Bleeping Computer, this ransomware takes an especially long time to encrypt files on a targeted machine. This ransomware is reported to target an entire network, rather than individual workstations.

References
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake Ransomware
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Ransomware Snake Ransomware
2020-07-14CrowdStrikeFalcon OverWatch Team
@online{team:20200714:manufacturing:3e552ec, author = {Falcon OverWatch Team}, title = {{Manufacturing Industry in the Adversaries’ Crosshairs}}, date = {2020-07-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/}, language = {English}, urldate = {2020-07-23} } Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake Ransomware
2020-07-01FortinetBen Hunter, Fred Gutierrez
@online{hunter:20200701:ekans:46605bc, author = {Ben Hunter and Fred Gutierrez}, title = {{EKANS Ransomware Targeting OT ICS Systems}}, date = {2020-07-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems}, language = {English}, urldate = {2020-07-06} } EKANS Ransomware Targeting OT ICS Systems
Snake Ransomware
2020-06-18DragosJoe Slowik
@online{slowik:20200618:ekans:e768da1, author = {Joe Slowik}, title = {{EKANS Ransomware Misconceptions and Misunderstandings}}, date = {2020-06-18}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/}, language = {English}, urldate = {2020-06-19} } EKANS Ransomware Misconceptions and Misunderstandings
Snake Ransomware
2020-06-17Kaspersky LabsKaspersky Lab ICS CERT
@online{cert:20200617:targeted:4a2a126, author = {Kaspersky Lab ICS CERT}, title = {{Targeted attacks on industrial companies using Snake ransomware}}, date = {2020-06-17}, organization = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/}, language = {English}, urldate = {2020-06-18} } Targeted attacks on industrial companies using Snake ransomware
Snake Ransomware
2020-06-11Twitter (@bad_packets)Bad Packets Report
@online{report:20200611:honda:04a1b7c, author = {Bad Packets Report}, title = {{Tweet on Honda & Enel Critix(NetScaler) VPN server vulnerable to CVE-2019-19781, possibly targeted by SNAKE ransomware}}, date = {2020-06-11}, organization = {Twitter (@bad_packets)}, url = {https://twitter.com/bad_packets/status/1270957214300135426}, language = {English}, urldate = {2020-06-12} } Tweet on Honda & Enel Critix(NetScaler) VPN server vulnerable to CVE-2019-19781, possibly targeted by SNAKE ransomware
Snake Ransomware
2020-06-09MalwarebytesThreat Intelligence Team
@online{team:20200609:honda:a44da80, author = {Threat Intelligence Team}, title = {{Honda and Enel impacted by cyber attack suspected to be ransomware}}, date = {2020-06-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/}, language = {English}, urldate = {2020-06-10} } Honda and Enel impacted by cyber attack suspected to be ransomware
Snake Ransomware
2020-06-08Bleeping ComputerIonut Ilascu
@online{ilascu:20200608:honda:59ddaf6, author = {Ionut Ilascu}, title = {{Honda investigates possible ransomware attack, networks impacted}}, date = {2020-06-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/}, language = {English}, urldate = {2020-06-10} } Honda investigates possible ransomware attack, networks impacted
Snake Ransomware
2020-06-08Twitter (@milkr3am)milkream
@online{milkream:20200608:first:5a359a9, author = {milkream}, title = {{First public tweet on cyber incident that Honda & Enelint was hit by Snake/Ekans ransomware}}, date = {2020-06-08}, organization = {Twitter (@milkr3am)}, url = {https://twitter.com/milkr3am/status/1270019326976786432}, language = {English}, urldate = {2020-06-11} } First public tweet on cyber incident that Honda & Enelint was hit by Snake/Ekans ransomware
Snake Ransomware
2020-05-15Nishan Maharjan
@online{maharjan:20200515:malware:8c6907f, author = {Nishan Maharjan}, title = {{Malware Analysis: Snake Ransomware}}, date = {2020-05-15}, url = {https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017}, language = {English}, urldate = {2020-05-19} } Malware Analysis: Snake Ransomware
Snake Ransomware
2020-05-06KrebsOnSecurityBrian Krebs
@online{krebs:20200506:europes:2f8ce94, author = {Brian Krebs}, title = {{Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware}}, date = {2020-05-06}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware}, language = {English}, urldate = {2020-05-13} } Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware
Snake Ransomware
2020-05CCN-CERTCCN-CERT
@online{ccncert:202005:malware:e6aed81, author = {CCN-CERT}, title = {{Malware report CCN-CERT ID-15/20 Snake Locker}}, date = {2020-05}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html}, language = {English}, urldate = {2020-06-10} } Malware report CCN-CERT ID-15/20 Snake Locker
Snake Ransomware
2020-03-23Carnegie Mellon UniversityKyle O'Meara
@online{omeara:20200323:snake:67fbc1b, author = {Kyle O'Meara}, title = {{Snake Ransomware Analysis Updates}}, date = {2020-03-23}, organization = {Carnegie Mellon University}, url = {https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html}, language = {English}, urldate = {2020-03-28} } Snake Ransomware Analysis Updates
Snake Ransomware
2020-02-03DragosDragos
@online{dragos:20200203:ekans:041a3ee, author = {Dragos}, title = {{EKANS Ransomware and ICS Operations}}, date = {2020-02-03}, organization = {Dragos}, url = {https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/}, language = {English}, urldate = {2020-02-04} } EKANS Ransomware and ICS Operations
Snake Ransomware
2020-01-23SentinelOneJim Walter
@online{walter:20200123:new:8d4a9c2, author = {Jim Walter}, title = {{New Snake Ransomware Adds Itself to the Increasing Collection of Golang Crimeware}}, date = {2020-01-23}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/}, language = {English}, urldate = {2020-01-27} } New Snake Ransomware Adds Itself to the Increasing Collection of Golang Crimeware
Snake Ransomware
2020-01-10Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200110:snake:cd5131a, author = {Albert Zsigovits}, title = {{SNAKE / EKANS ransomware}}, date = {2020-01-10}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Snake.md}, language = {English}, urldate = {2020-01-14} } SNAKE / EKANS ransomware
Snake Ransomware
2020-01-08Bleeping ComputerLawrence Abrams
@online{abrams:20200108:snake:aaf992f, author = {Lawrence Abrams}, title = {{SNAKE Ransomware Is the Next Threat Targeting Business Networks}}, date = {2020-01-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/}, language = {English}, urldate = {2020-01-12} } SNAKE Ransomware Is the Next Threat Targeting Business Networks
Snake Ransomware
Yara Rules
[TLP:WHITE] win_snake_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_snake_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snake"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4c2408 8b54240c 85c9 7552 8400 8d480c 890c24 }
            // n = 7, score = 200
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   85c9                 | test                ecx, ecx
            //   7552                 | jne                 0x54
            //   8400                 | test                byte ptr [eax], al
            //   8d480c               | lea                 ecx, [eax + 0xc]
            //   890c24               | mov                 dword ptr [esp], ecx

        $sequence_1 = { 894c2404 c744240803000000 c744240c03000000 e8???????? 8b442418 8b4c241c 8b542410 }
            // n = 7, score = 200
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   c744240803000000     | mov                 dword ptr [esp + 8], 3
            //   c744240c03000000     | mov                 dword ptr [esp + 0xc], 3
            //   e8????????           |                     
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]

        $sequence_2 = { 8402 8401 8b4c2410 8b5c2414 8b6c240c 8b742434 eb10 }
            // n = 7, score = 200
            //   8402                 | test                byte ptr [edx], al
            //   8401                 | test                byte ptr [ecx], al
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   8b6c240c             | mov                 ebp, dword ptr [esp + 0xc]
            //   8b742434             | mov                 esi, dword ptr [esp + 0x34]
            //   eb10                 | jmp                 0x12

        $sequence_3 = { c7042401000000 c644240400 8b442420 89442408 e8???????? 8b44240c 8b4c2414 }
            // n = 7, score = 200
            //   c7042401000000       | mov                 dword ptr [esp], 1
            //   c644240400           | mov                 byte ptr [esp + 4], 0
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   e8????????           |                     
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]

        $sequence_4 = { 85c0 0f85c2070000 890d???????? e8???????? 8b05???????? 8b0c24 8b542404 }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   0f85c2070000         | jne                 0x7c8
            //   890d????????         |                     
            //   e8????????           |                     
            //   8b05????????         |                     
            //   8b0c24               | mov                 ecx, dword ptr [esp]
            //   8b542404             | mov                 edx, dword ptr [esp + 4]

        $sequence_5 = { 8b442418 8b4c2410 8b542414 8b5c241c 85c0 0f854f010000 8944243c }
            // n = 7, score = 200
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   8b5c241c             | mov                 ebx, dword ptr [esp + 0x1c]
            //   85c0                 | test                eax, eax
            //   0f854f010000         | jne                 0x155
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax

        $sequence_6 = { 89442434 890424 8b4c2430 894c2404 e8???????? 8b442434 ebce }
            // n = 7, score = 200
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   890424               | mov                 dword ptr [esp], eax
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   e8????????           |                     
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]
            //   ebce                 | jmp                 0xffffffd0

        $sequence_7 = { 894c2408 8954240c 89442410 e8???????? 8b4c2414 8b54241c 8b442424 }
            // n = 7, score = 200
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   8954240c             | mov                 dword ptr [esp + 0xc], edx
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   e8????????           |                     
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]

        $sequence_8 = { e8???????? 8b05???????? 8b4c2408 85c0 750d 890d???????? 81c408010000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b05????????         |                     
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   890d????????         |                     
            //   81c408010000         | add                 esp, 0x108

        $sequence_9 = { c744241400000000 8b842480000000 8b8c2484000000 8b542470 8b9c248c000000 31ed eb03 }
            // n = 7, score = 200
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   8b842480000000       | mov                 eax, dword ptr [esp + 0x80]
            //   8b8c2484000000       | mov                 ecx, dword ptr [esp + 0x84]
            //   8b542470             | mov                 edx, dword ptr [esp + 0x70]
            //   8b9c248c000000       | mov                 ebx, dword ptr [esp + 0x8c]
            //   31ed                 | xor                 ebp, ebp
            //   eb03                 | jmp                 5

    condition:
        7 of them and filesize < 8134656
}
Download all Yara Rules