Security experts from
The Snake ransomware is written in the
Snake Ransomware was first detected by researchers from MalwareHunterTeam last week and analyzed it with the support of the popular malware analysts Vitali Kremez.
The ransomware is heavily obfuscated and it is designed to target the entire network rather than individual computers or servers.
“The ransomware contains a level of routine obfuscation not previously and typically seen coupled with the targeted approach,” Kremez, Head of SentinelLabs, told BleepingComputer.
Like other ransomware, upon execution Snake will remove the computer’s Shadow Volume Copies, it also kills numerous processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and more.
Then the malware encrypts the files on the system, skipping Windows system files and folders. The SNAKE ransomware appends a ransom 5 character string to the files extension (i.e. a file named invoice.doc is encrypted and renamed like invoice.docIksrt.
The experts noticed that the malware appends the ‘EKANS‘ file marker to each encrypted file. Once the encryption process is completed the ransomware will create a ransom note (named ‘Fix-Your-Files.txt’) in the C:\Users\Public\Desktop folder that contains the email address ([email protected]) to contact to receive the payment instructions.
“Snake is written
According to SentinelLabs, most of the ICS processes targeted by Snake are associated with products made by GE.
OTORIO confirms that the Snake ransomware terminates a critical p for the GE Digital Proficy server, which is used to connect to the Proficy HMI/SCADA, Manufacturing Execution Systems (MES), and Enterprise Manufacturing Intelligence (EMI) systems. Experts warn that terminating this p
“Deleting or locking targeted ICS processes would prohibit manufacturing teams from accessing vital production-related
“GE is aware of reports of a ransomware family with an industrial control system specific functionality. Based on our understanding, the ransomware is not exclusively targeting GE’s ICS products, and it does not target a specific vulnerability in GE’s ICS products.” reads a statement from a General Electric representative.
Experts pointed out that the ransom instructs victims to contact email address [email protected], where “
ZeroCleare is classified as a destructive wiper that experts linked to Iran-linked APT groups, according to the experts, the campaign they have monitored may have been the first in which the malware was involved.
“Recently it was reported that Iranian state-sponsored hackers have deployed a data-wiping malware dubbed Dustman on BAPCO’s network. It’s no coincidence that these two attacks come in short proximity to one another.” concludes OTORIO. “Using an already “proven” malware (i.e.
|[adrotate banner=”9″]||[adrotate banner=”12″]|