Security experts from
The Snake ransomware is written in the
The ransomware is heavily obfuscated and it is designed to target the entire network rather than individual computers or servers.
Like other ransomware, upon execution Snake will remove the computer’s Shadow Volume Copies, it also kills numerous processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and more.
Then the malware encrypts the files on the system, skipping Windows system files and folders. The SNAKE ransomware appends a ransom 5 character string to the files extension (i.e. a file named invoice.doc is encrypted and renamed like invoice.docIksrt.
The experts noticed that the malware appends the ‘EKANS‘ file marker to each encrypted file. Once the encryption process is completed the ransomware will create a ransom note (named ‘Fix-Your-Files.txt’) in the C:\Users\Public\Desktop folder that contains the email address (firstname.lastname@example.org) to contact to receive the payment instructions.
“Snake is written
According to SentinelLabs, most of the ICS processes targeted by Snake are associated with products made by GE.
OTORIO confirms that the Snake ransomware terminates a critical p for the GE Digital Proficy server, which is used to connect to the Proficy HMI/SCADA, Manufacturing Execution Systems (MES), and Enterprise Manufacturing Intelligence (EMI) systems. Experts warn that terminating this p
“Deleting or locking targeted ICS processes would prohibit manufacturing teams from accessing vital production-related
“GE is aware of reports of a ransomware family with an industrial control system specific functionality. Based on our understanding, the ransomware is not exclusively targeting GE’s ICS products, and it does not target a specific vulnerability in GE’s ICS products.” reads a statement from a General Electric representative.
Experts pointed out that the ransom instructs victims to contact email address email@example.com, where “
ZeroCleare is classified as a destructive wiper that experts linked to Iran-linked APT groups, according to the experts, the campaign they have monitored may have been the first in which the malware was involved.
“Recently it was reported that Iranian state-sponsored hackers have deployed a data-wiping malware dubbed Dustman on BAPCO’s network. It’s no coincidence that these two attacks come in short proximity to one another.” concludes OTORIO. “Using an already “proven” malware (i.e.