SNAKE is a new strain of ransomware which targets entire networks, first discovered by the MalwareHunterTeam and studied further by Vitali Kremez.
Similar to most ransomware attacks, SNAKE leaves your operating system and program files alone to allow you to boot up your machine. It targets your important day-to-day files like documents, pictures, videos and projects and encrypts them. To regain access, the cyber-criminals demand hefty fees to provide you the encryption key.
Often paying the fee does not result in a your files being returned to normal, and in some cases, leaves you with other strains of ransomware which are timed to execute at a later date.
What you need to know
- SNAKE can be unintentionally installed through standard phishing attacks, such as harmful e-mails or websites
- SNAKE is written in Golang, an open-source programming language that provides cross-platform support. This means that any operating system that isn’t protected could fall victim
- The encryption process is slower as compared to other ransomware attacks. The attacker also has the provision of choosing the time for encryption. This can potentially allow the network admins to control the damages of the attack
- SNAKE then unusually adds a random five-character string as a suffix to the existing extension name. For example, Test1.jpg file is encrypted and named as Test1.jpgAUxRo. This is unusual as ransomware usually adds specific extensions to the file and not just append the existing extension
- In each file that is being encrypted, the snake also appends the “EKANS” file marker. EKANS is SNAKE spelled in reverse order. This is where the ransomware derives its name from
- On completion of the encryption process, a ransom note named Fix-Your-Files.txt is generated on the desktop. Here is the text in the Ransom Note:
What happened to your files?
We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more –
All were encrypted using a military-grade encryption algorithm (AES-256 and RSA-2048). You cannot access those files right now. But don’t worry!
You can still get those files back and be up and running again in no time.
How to contact us to get your files back?
The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network.
Once run on an affected computer, the tool will decrypt all encrypted files – and you can resume day-to-day operations, preferably with
better cybersecurity in mind. If you are interested in purchasing the decryption tool contact us at firstname.lastname@example.org
How can you be certain we have the decryption tool?
In your mail to us attach up to 3 files (up to 3MB, no databases or spreadsheets). We will send them back to you decrypted.
From the text written in the ransom note, it is evident that the attack is targeted at the entire network and not just one or two computers. It also says that encryption algorithms, AES-256, and RSA-2048 have been used in this ransomware attack which means it is difficult to develop a free version of its decryptor.
How to protect your organisation from Ransomware
There are several stages in a ransomware attack where it can be stopped. It is much more favourable to your organisation to stop an attack in the early stages as opposed to after it has executed due to the difficulty and rate in which these types of attacks evolve. Sometimes it is impossible to undo the damage caused by an attack after it has executed.
Stage 1 – Identify the Risk and Stop it
Ransomware is one of the most common types of Malware sent to organisations as the devastation it causes requires very little input from the victim at the receiving end.
Ransomware is commonly delivered through phishing attacks, targeted towards the employees of your organisation. Usually the phishing e-mails contain a harmful link or attachment which requires a deceived employee to click it to enable the attack.
90 percent of all security incidents are caused by end-users (Techradar, May 2019), meaning that the most important security investment to stop ransomware from affecting your organisation is to improve staff awareness, through training and testing. Security Awareness Training and Testing is the ultimate way to stop ransomware from being installed on your corporate network.
Stage 2 – Prevent the Ransomware from Executing
At this stage, unfortunately ransomware has found its way onto your machine or network and now needs to execute to progress to the next stage. The only way to truly stop this from happening is with next-generation endpoint protection. For years, Anti-Virus products primary threat protection were based on signatures. Assuming all attacks at a business had been seen before, using signatures made sense.
Today, malware mutates daily, even hourly, making signature-based prevention tools obsolete. Next-generation endpoint uses artificial intelligence, not signatures, to identify and block known and unknown malware from running on an endpoint.
Stage 3 – Stop it from Spreading
The worst has happened and the ransomware has executed. Your corporate files have been encrypted and cannot be accessed without a special encryption key. The dreaded timer begins to tick down and the whopping fee to regain access fills your screen. The absolute last thing you should do is pay the charge. The people behind these types of attacks are cyber-criminals and cannot be trusted to provide you with what you need after you make the payment.
With an Endpoint Detection and Response solution in place, you can continuously monitor your endpoints, enabling defenders to detect active malicious presence and make rapid and efficient decisions on its scope and impact. You can prevent the ransomware from spreading by identifying the affected endpoint and neutralising it.