fter Ryuk and Zeppelin, Snake Ransomware is a new breed of ransomware attack that targets not one or two but all computers on a company’s business network. The Snake ransomware was first discovered by the MalwareHunterTeam and studied by Vitali Kremez, Head of SentinelLabs.
“The (Snake) ransomware contains a level of routine obfuscation not previously and typically seen coupled with the targeted approach,” Kremez told BleepingComputer in a conversation.
Kremez’s analysis found that:
Snake Ransomware is written in Golang, an open source programming language that provides cross-platform support.
It removes the computer’s Shadow Volume Copies and terminates various processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and more.
During encryption, Snake skips all Windows and other system folders on the computer.
The encryption process is slower as compared to other ransomware attacks. The attacker also has the provision of choosing the time for encryption. This can potentially allow the network admins to control the damages of the attack.
Snake then unusually adds a random five-character string as a suffix to the existing extension name. For example, Test1.jpg file is encrypted and named as Test1.jpgAUxRo. This is unusual as ransomware usually adds specific extensions to the file and not just append the existing extension.
In each file that is being encrypted, the snake also appends the “EKANS” file marker. EKANS is SNAKE spelled in reverse order. This is where the ransomware derives its name from.
On completion of the encryption process, a ransom note named Fix-Your-Files.txt is generated on the desktop. Here is the text in the Ransom Note:
What happened to your files?
We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more –
All were encrypted using a military grade encryption algorithm (AES-256 and RSA-2048). You cannot access those files right now. But don’t worry!
You can still get those files back and be up and running again in no time.
How to contact us to get your files back?
The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network.
Once run on an effected computer, the tool will decrypt all encrypted files – and you can resume day-to-day operations, preferably with
better cyber security in mind. If you are interested in purchasing the decryption tool contact us at bapcocrypt@ctemplar.com
How can you be certain we have the decryption tool?
In your mail to us attach up to 3 files (up to 3MB, no databases or spreadsheets). We will send them back to you decrypted.
From the text written in the ransom note, it is evident that the attack is targeted at the entire network and not just one or two computers. It also says that encryption algorithms, AES-256 and RSA-2048 have been used in this ransomware attack which means it is difficult to develop a free version of its decryptor.
