U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Snake Ransomware isolates infected Systems before encrypting files

Experts spotted recent samples of the Snake ransomware that were isolating the infected systems while encrypting files to avoid interference. Experts from cybersecurity firm Deep Instinct recently spotted some sample of the Snake ransomware (also known as EKANS) were observed isolating the infected systems to encrypt files without interference In January experts observed a new wave of attacks that targeted organizations worldwide, […]

SNAKE ransomware

Experts spotted recent samples of the Snake ransomware that were isolating the infected systems while encrypting files to avoid interference.

Experts from cybersecurity firm Deep Instinct recently spotted some sample of the Snake ransomware (also known as EKANS) were observed isolating the infected systems to encrypt files without interference

In January experts observed a new wave of attacks that targeted organizations worldwide, experts from SentinelOne also discovered Snake Ransomware that was targeting processes and files associated with industrial control systems (ICS).

The activity of the gang was relatively quiet during the COVID-19 outbreak since May 4, when the ransomware operators launched a massive campaign that targeted organizations worldwide.

Snake Ransomware is suspected to have been employed in a ransomware attacks that hit Fresenius Group, Europe’s largest hospital provider, and the Japanese carmaker Honda.

The Snake ransomware kills processes from a predefined list, including ICS-related processes, to encrypt associated files.

Snake samples employed in more recent attacks implements the ability to enable and disable the firewall and leverage specific commands to block unwanted connections to the system.

“Before initiating the encryption, Snake will utilize the Windows firewall in order to block any incoming and outgoing network connections on the victim’s machine that aren’t configured in the firewall. Windows built-in netsh tool will be used for this purpose,” reads the analysis published by cybersecurity firm Deep Instinct. “Disconnected from the outside world, Snake will kill the hardcoded processes that may interfere with the encryption. This list contains processes related to the industrial world and several security and backup solutions.”

The malware would kill any process that might potentially interfere with the encryption, including those associated with industrial software, backup solutions, and of course security tools. Then the malware also deletes shadow copies to prevent the victims from recovery the files.

“Once all the preparations are completed, the ransomware can initiate the encryption process.” continues the analysis. “Excluding several system-critical folders and files, all files with extensions included in Snake’s hardcoded list are included. The list includes document, virtualization, database, and archive extensions among others.”

The malware appends a random five-character string to the extension of the encrypted files and the word EKANS to the end of the file (i.e. For example, our encrypt_me.txt file was changed to encrypt_me.txtDwtwx.)

“The concept of ransomware is rather simple – you encrypt your victims’ files and wait for them to pay. Although this concept hasn’t changed in recent years, ransomware attacks have become more and more sophisticated and targeted, as we witness the gradual change in the priorities, tactics and scale of attacks.” concludes the report.

“If the attackers are changing their modus operandi, we should change the way we think about ransomware attacks.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SNAKE ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]