Pierluigi Paganini January 28, 2020

The recently discovered Snake Ransomware has been targeting processes and files associated with industrial control systems (ICS).

Security experts from SentinelOne reported that the recently discovered Snake Ransomware has been targeting processes and files associated with industrial control systems (ICS).

The Snake ransomware is written in the Golang programming language and has been used in targeted attacks against businesses worldwide.

Snake Ransomware was first detected by researchers from MalwareHunterTeam last week and analyzed it with the support of the popular malware analysts Vitali Kremez.

The ransomware is heavily obfuscated and it is designed to target the entire network rather than individual computers or servers.

“The ransomware contains a level of routine obfuscation not previously and typically seen coupled with the targeted approach,” Kremez, Head of SentinelLabs, told BleepingComputer.

Like other ransomware, upon execution Snake will remove the computer’s Shadow Volume Copies, it also kills numerous processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and more.

Then the malware encrypts the files on the system, skipping Windows system files and folders. The SNAKE ransomware appends a ransom 5 character string to the files extension (i.e. a file named invoice.doc is encrypted and renamed like invoice.docIksrt.

The experts noticed that the malware appends the ‘EKANS‘ file marker to each encrypted file. Once the encryption process is completed the ransomware will create a ransom note (named ‘Fix-Your-Files.txt’) in the C:\Users\Public\Desktop folder that contains the email address ([email protected]) to contact to receive the payment instructions.

“SentinelLabs has observed the Snake ransomware in targeted campaigns over the last month. While it contains all the hallmarks of standard ransomware, there are a few traits that make it stand out as more aggressive and more complex.” reads the report published by SentinelOne.

“Snake is written in Golang, which has been seen in many recent ransomware families. Golang is an open-source programming language, with a degree of cross-platform support. It is for these same reasons that some RaaS (Ransomware as a Service) offerings utilize the language as well. One such example would be Project Root.“

The Snake ransomware targets files associated with SCADA platforms, enterprise management tools, and system utilities. Experts noticed that some specifically targeted applications include VMware Tools, Microsoft System Center Operations Manager, Nimbus, Honeywell HMIWeb, and FLEXnet. 

According to SentinelLabs, most of the ICS processes targeted by Snake are associated with products made by GE.

The Israeli cybersecurity firm Otorio said the Snake ransomware has been created by Iran and was designed to target industrial control systems.

OTORIO confirms that the Snake ransomware terminates a critical p for the GE Digital Proficy server, which is used to connect to the Proficy HMI/SCADA, Manufacturing Execution Systems (MES), and Enterprise Manufacturing Intelligence (EMI) systems. Experts warn that terminating this process could have a serious impact on operational teams.

“Deleting or locking targeted ICS processes would prohibit manufacturing teams from accessing vital production-related processes including analytics, configuration and control,” reads the report published by Otorio. “ This is the equivalent of both blindfolding a driver and then taking away the steering wheel. In addition, Snake stops a critical networking process in the GE Digital Proficy server. This industrial gateway enables the connectivity to Proficy HMI/SCADA, MES, and EMI. Without it, operational teams would not just be driving blind – they’d also be deaf and dumb. ”

“GE is aware of reports of a ransomware family with an industrial control system specific functionality. Based on our understanding, the ransomware is not exclusively targeting GE’s ICS products, and it does not target a specific vulnerability in GE’s ICS products.” reads a statement from a General Electric representative.

Experts pointed out that the ransom instructs victims to contact email address [email protected], where “bapcocrypt” may refer to the Bahrain Petroleum Company (Bapco), which was recently targeted by attackers using a piece of malware named Dustman. Saudi Arabia’s National Cybersecurity Authority linked Dustman to the ZeroCleare wiper that has been used in highly targeted attacks aimed at energy and industrial organizations in the Middle East.

ZeroCleare is classified as a destructive wiper that experts linked to Iran-linked APT groups, according to the experts, the campaign they have monitored may have been the first in which the malware was involved.

“Recently it was reported that Iranian state-sponsored hackers have deployed a data-wiping malware dubbed Dustman on BAPCO’s network. It’s no coincidence that these two attacks come in short proximity to one another.” concludes OTORIO. “Using an already “proven” malware (i.e. MegaCortex) and honing it (to target ICSs) is a hallmark of the operation methods of Iranian hackers (see our most recent blog: “Why We Need to Prepare for an Iranian Attack on ICS”). This makes Iran not only the immediate suspect – but a highly likely one as well.”

Pierluigi Paganini

(SecurityAffairs – Snake ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]