Snake Ransomware Slithers Into the Light

For large portions of the population, targeting healthcare organizations during a global pandemic is a step too far. It is hard to justify the actions of ransomware gangs at the best of times, but attacks on organizations that are the front line against the COVID-19 health emergency is beyond the pale. In the past, a hacker could claim such an attack was an accident, then decrypt the data free of charge. However, in an age of human-operated big game hunting ransomware strains that are highly targeted, such an excuse is without any merit and cannot be accepted.

For those behind an incredibly new variant called Snake, no excuses have been given even if the victims wanted one, while the gang actively targets healthcare organizations. Snake has quickly adopted the tactics of well-known human-operated big game hunting ransomware variants including Ryuk, BitPaymer, DoppelPaymer, Sodinokibi and Maze, to name only a few.

In human-operated attacks, hackers target specific organizations and slowly work their way onto the network before initiating ransomware, rather than impacting one device, thus infecting numerous devices through the organization’s network. This has the result of grinding workflow to a halt. Big game hunting ransomware gangs target large organizations in the hope of demanding a bigger ransom that is more likely to be paid as the company weighs the costs of downtime and recovery into its losses, not just the ransom. This tactic is not new; GandCrab is the major driving force behind the tactic’s adoption as well as the ransomware-as-a-service (RaaS) business model. Snake has not adopted the RaaS model but has been quick to adopt several other tactics now refined since GandCrab was retired by its developers.

Snake in the Wild

Snake was discovered by MalwareHunterTeam in early January, which sent the malware to Vitali Kremez to reverse-engineer. Snake joins the ever-growing ranks of malware written in Golang, also known as Go Language (more on this language choice later). At the time of its discovery, the ransomware had been distributed via a focused and targeted campaign that seemed to focus exclusively on targeting business enterprise networks, in line with other big game hunting ransomware families.

While Snake has adopted many of the tried and tested tactics of its forebears, it does have some unique traits that make it far more aggressive and complex than other ransomware strains. One of these is the code’s high level of obfuscation. This is not often done by other ransomware strains to the same extent, as the malware’s operation of encrypting data is very noisy—and needs to be, to draw the attention of the victim. Once encryption is complete, the malware has served its purpose. Obfuscation does serve a purpose in this instance: It makes analysis of the malware more difficult.

When Snake completes its encryption process it appends .EKANS to the end of the file strings it encrypts. This appended identifier has given the ransomware its name, as EKANS is simply “snake” backward. The majority of other ransomware strains append a discernible file name on the end of encrypted files. Snake differs in this regard, as it appends random characters rather than a discernible or uniform extension name. Like with the increased level of code obfuscation, the adding of random characters further complicates the task of analysis and detection, as it is more difficult to determine which family of ransomware has encrypted important files.

Ransom demanding message of Snake ransomware:

snake ransom demanding message

Snake does not look to rewrite all the rules, instead relying on tried and tested techniques for carrying out the malware’s main purpose of encrypting data. The encryption process is achieved using the modern ransomware standard of mixing symmetric and asymmetric cryptography algorithms—AES-256 and RSA-2048 for this purpose. Snake uses the symmetric key for encrypting and decrypting files and the key is further encrypted with the attacker’s public key, which means decryption is only possible with the public key and the symmetric key. Like many other strains making up the ransomware family, important critical system files are excluded from encryption so the victim can access the ransom note and other operations deemed important to paying the ransom. Snake further looks to decrypt network resources, not just important document types businesses rely upon to facilitate operations.

Snake Targets ICS Processes

Industrial control systems (ICS) are those systems that facilitate the automation and safe operation of industrial processes. They can be seen as the backbone of critical infrastructure as they are used in power plants, dam system controls and factories that rely on high levels of machine automation. Typically these are not the active targets for ransomware operators and have generally been the main focus of well-funded and skilled state-sponsored actors that have access to ICS systems to better develop specific malware that targets them.

To see ransomware targeting these processes is rare but not unheard of. Snake joins the ranks of those rare specimens. In earlier campaigns seen distributing Snake, researchers discovered that not only does Snake look to delete volume shadow copies, making recovery from simple backups akin to moving mountains, but the ransomware also targets specific ICS processes. These targeted processes include those associated with SCADA platforms, enterprise management tools and system utilities. More specifically, these include VMware Tools, Microsoft System Center Operations Manager, Nimbus, Honeywell HMIWeb and FLEXnet.

The targeting of these processes raises the stakes on Snake infections significantly. By being able to lock or even delete ICS processes, the ransomware effectively locks out manufacturing teams, causing production stoppages, increased downtime and, importantly to the attacker, increased financial losses. This is done to further place the organization under increased pressure to pay the ransom.

Healthcare Organization under Fire

Since the discovery of Snake in January, the operators have been quiet. That was until May 4, a day “Star Wars” fans cherish and those defending certain networks may curse. Ransomware identification website ID Ransomware, in conjunction with MalwareHunterTeam, detected a massive spike in Snake activity. Companies in numerous sectors appeared to have been hit during the campaign, including those in the healthcare sector.

Reports began emerging that one of Europe’s biggest private hospital operators had fallen victim to a yet undisclosed malware. It was clear that the enterprise suffered a ransomware infection, with the company stating it had lost some of its operational capacity but patient care continued. When the COVID-19 pandemic turned into a global emergency security researchers asked ransomware gangs and other malware operators to cease operations against an already strained healthcare sector. Some responded, saying they would not target companies and organizations either wholly or partly within the sector. While some showed a level of good faith, others did not respond and continued to target the healthcare sector. Snake seems to be one of those that ignored pleas.

While neither the healthcare company nor any of its statements mentioned what ransomware had infiltrated its networks, an anonymous source told Krebs On Security that the offending malware was Snake. The article states,

“On Tuesday, a KrebsOnSecurity reader who asked to remain anonymous said a relative working for Fresenius Kabi’s U.S. operations reported that computers in his company’s building had been roped off and that a cyber attack had affected every part of the company’s operations around the globe. The reader said the apparent culprit was the Snake ransomware, a relatively new strain first detailed earlier this year that is being used to shake down large businesses, holding their IT systems and data hostage in exchange for payment in a digital currency such as bitcoin.”

This belief was later supported by subsequent articles that Snake was indeed the offending piece of malware. Other companies were also hit, including an architectural firm and a pre-paid debit card company. Researchers were able to track down ransom note samples dropped onto victims’ machines by the malware. From them, the researchers determined that Snake has adopted yet another new tactic becoming increasingly common among big game hunting ransomware: stealing data before encryption and then threatening to release it to the public at large.

This trend began shortly before Snake was seen in the wild. The first ransomware variant to adopt this tactic was Maze and was quickly adopted by other ransomware gangs. In hindsight, this does seem like a logical progression, as these ransomware gangs spend an extended amount of time on enterprise networks slowly gaining increased privileges to allow for maximum damage when the ransomware is dropped. Spending the extra time on a network means they could access data before encrypting it. The practical application of such a measure is that victims are no longer just victims of a ransomware attack but also of a data breach.

Healthcare organizations face a double-edged sword in trying to recover from a ransomware incident—now they also will have to deal with likely loss of very personal information related to patients. If it was found that the healthcare organization did not properly handle the data in line with numerous pieces of legislation, it may be found liable to pay heavy fines over and above any other civil cases brought forward by affected parties. Ransomware gangs know this, and their threats to actually release sensitive data is another method they apply to turn the screws some more. Organizations will have to factor in the benefits of paying the ransom versus not paying, as both have an impact on the bottom line. It is still sage advice not to pay, as paying may earmark the organization for hyper-targeting in the future, but answering the question of whether or not to pay has become much more difficult than before.

GoLang Malware

Earlier it was mentioned that Snake was written in GoLang and that the relatively new language is increasingly seeing its use perverted for malware. Whether you call the language Go, GoLang or Go Language, researchers have been tracking a spike in its use to form the backbone of modern malware variants. The language was created in 2009 and, according to some reports, more than 10,000 distinct malware samples have been detected. The majority are remote access trojans, backdoor trojans and pen-testing modules, with Snake perhaps being a rare breed of ransomware written in the language, at least for the moment. The question is, why is it becoming a popular language among the criminal cyber underworld?

The reason cannot just be distilled down into one reason. However, some believe it’s because the language allows for cross-platform development. Because it is a single codebase that can be compiled by the major system operating platforms—Windows, Linux and macOS—the malware developer can focus solely on writing one malicious application that can be used to target victims across multiple platforms. GoLang does have a major hurdle to climb, however, so it is not the hacker’s dream language: All the necessary libraries for the language are statically available within the binary, this makes malware written in GoLang far larger than its cousins written in other languages. In some instances, the malware files were too large to send via email.

Avatar photo

Tomas Meskauskas

Tomas Meskauskas - Internet security expert, editor of pcrisk.com website, co-founder of Mac anti-malware application Combo Cleaner.

tomas-meskauskas has 22 posts and counting.See all posts by tomas-meskauskas