Before Encryption, ICS-Targeting Snake Ransomware Isolates Infected Systems


Recent Snake ransomware samples have been observed isolating the infected systems to ensure nothing interferes with the cycle of file encryption, security researchers say.

Snake (also known as EKANS) emerged as a prevalent threat to industrial control systems ( ICS), initially listed in January this year due to the targeted processes unique to those environments. It is suspected the ransomware was responsible for last month’s Honda cyber-incident.

One of Snake’s main features is the killing of processes from a predefined list, including processes related to ICS, to encrypt resources associated with them in an effort to further entice victims to pay the ransom to restore affected systems.

As part of more recent attacks, the ransomware took the malicious activity one step further, by trying to isolate the compromised systems before starting the process of encryption of files.

To this end, developers from Snake packed the threat with the ability to enable and disable the firewall, and to use specific commands to block unwanted system connections.

“Snake will use the Windows firewall before initiating the encryption to block any incoming and outgoing network connections on the victim’s machine that aren’t configured in the firewall. To that end, Windows built-in netsh tool will be used, “explains Deep Instinct, a cybersecurity firm.

In addition, the malware would then search for processes that could interact with and destroy the encryption process, including those relating to industrial systems, security tools, and backup solutions. It also deletes copies of the shadows to avoid retrieval.

However, just as before, the ransomware prevents encryption of system-critical directories and files.

While analyzing Snake ‘s behavior, Fortinet also discovered that after the encryption process was completed the malicious tool turns the firewall off.

In addition, the security firm states that after initial compromise, the ransomware tends to favor domain controllers on the network, and that it explicitly searches for them. To that end, it uses a WMI query to determine the roles on the network of different machines.

If successful in infecting a domain controller, Snake “can affect requests for security authentication within the domain of the network, thus severely affecting networked users,” Fortinet notes.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.