Snake Ransomware brings impending doom to enterprise networks
In January, new targeted ransomware was discovered called SNAKE and EKANS. Malware is written in Go and heavily obfuscated. It targets ICS environments. Snake Ransomware appears to be distributed through a targeted and focused campaign. It uses AES and RSA encryption. After infection, the encrypted data is overwritten in affected files. Every modified file is also marked with the string “EKANS” at the end.
Malware can check for an internal system name or public IP address. In our case, it is related to Honda Company. If DNS queries to Honda’s internal domain are not answered, the malware will exit immediately.
Technical AnalysisThis file is a PE32 executable on MS Windows. It has a “.symtab” section with fewer imported files which indicate that the file was written and compiled in Go language.
Fig 1: Section Names
umerous strings were found, which indicates that the binary was compiled in Go language. Below is the Go build ID.
Fig 2: GO build ID
The malware requests a DNS resolution for “MDS.HONDA.COM” Honda was recently attacked by ransomware cyber-attacks on its technology systems. This is likely the sample that was used to compromise Honda’s website.
Figure 3: DNS resolution of MDS.HONDA.COM
Malware resolves “MDS.HONDA.COM” to the associated IP address, it also contains a reference to the US IP address 22.214.171.124, which resolves to the ‘unspec170108.amerhonda.com’ hostname. Malware will terminate its execution if the DNS resolution fails.
Once the malware has found that the domain name is resolved, it sends a command to netsh.exe to change the firewall settings. This command was successful:
“Netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound”.
This command will stop all outgoing and incoming connections to profiles that don’t match the Windows firewall rules.
Fig 4: Command used for changing firewall setting
Malware uses the below algorithm to decrypt all strings used in execution of malware. However, each encrypted string uses a different XOR-key.
Below is the decryption loop that decrypts RSA public key. This will be used to encrypt all AES keys used for encryption of files.
Fig 5: Decryption Loop
Below is the decompiled code for this algorithm.
Fig 6: Decompiled decryption loop
Malware scans for the Mutex “EKANS” before it is executed. The ransomware will stop the execution of the Mutex named “EKANS” and will not infect any systems. If not, the ransomware is activated and the infection progresses.
It includes a hard-coded service list and process, which are encrypted strings of malware. The ransomware will block any services running in the victim’s system. It will also terminate any processes running in the system using the function TerminateProcess(). Below are some process names.
Fig 7: Some process names which are decrypted by malware
Malware will delete all Volume Shadow Copy backups on your system. Malware removes extensions from encrypted files. These extensions are listed below:
.sys .mui .tmp .lnk .config .tlb .olb .blf .ico .manifest .bat .cmd .ps1 etc
The malware can decrypt some extensions, but they are not used during encryption.
Fig 8: Extensions mentioned in File
The encryption of snake uses a combination of symmetric and asymmetric cryptography, which includes AES256 and RSA-2048. For encryption and decryption of files, a symmetric key must be used. This Symmetric key can be encrypted using the attacker’s private key. The attacker’s private keys are required to decrypt the Symmetric key. Security vendors find it difficult or impossible to decrypt the attacker’s private key.
Malware employs AES CTR mode to encrypt the file using a 0x20 bytes random keys and a 0x10-byte random IV. The file contains the RSA public key. After encryption malware adds the “EKANS” marker at end. EKANS is the reverse of SNAKE.
Fig 9: Encrypted file with EKANS marker
After encryption, malware renames encrypted files. The malware adds a random string of 5 characters to each file’s extension. Extensions are ransom so it is difficult to identify ransomware via extensions. Below is an image that shows how the snake ransomware renames files.
Fig 10: Files before and after encryption
Ransomware is a constant threat to both individuals and businesses. Ransomware encrypts files and makes it very difficult to retrieve the data. Due to the severity of ransomware’s damage to data, it is important that you follow the security recommendations below.
- Multi-layered antivirus can be used to stop real-time threats.
- Make sure your antivirus is up-to-date
- Keep your Operating System up-to-date as new patches are added every day.
- Make sure your software is up-to-date
- Never connect remote systems directly to the Internet.
- Never click on links or open attachments from emails sent to you by unknown sources.
- Regular data backup is recommended. Keep it safe.
- Check for any misconfigurations in your gateway system.
Multilayered detection technologies are used in Seqrite products, including IDS/IPS and DNA Scan, Email Scan and BDS. Web Protection is also available. Patented Anti Ransomware detection is also included. This multi-layered security strategy helps us to protect our customers from Ransomware and other unknown threats.