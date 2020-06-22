Kaspersky ICS CERT carried out a detailed analysis of the behavior of the Snake (or Ekans) virus (ransomware), responsible for halting industrial activities in recent months

Kaspersky ICS CERT performed a detailed analysis of the behavior of the virus (ransomware) Snake (or Ekans), responsible of paralyze industrial activities in recent months after attacks on companies in different parts of the world.

According to the document, Snake, capable of code and prevent a company from accessing business documents, acts in a specific way, disguising himself with them domains and IP addresses from invaded networks to gain free access and encrypt files.

This information would also indicate that Snake’s action represents only the latest in a series of pre-coordinated steps.

Before structuring the ransomwarefor example the cyber criminals they need to discover the address records of their targets and, in some cases, obtain this data through public DNS servers.

All samples analyzed were blocked by Kaspersky security solutions, based on the original model of the Snake ransomware, identified in december 2019.

The main findings of Kaspersky ICS CERT About Snake ransomware are as follows:

• The malware started using a file “nmon.bat”. Kaspersky products detected the file in the script folders of the domain policy.

• The only difference between all identified Snake ransomware samples is the domain name and the IP address embedded in the code.

• The IP address in the malware code is compared to the IP address of the infected machine, if the malware is able to identify it.

• The malware only encrypts the data of the infected machine if the IP address of the device and the one that is present in the malware code are the same.

• The combination of IP address and domain name embedded in the malware code is unique for each identified attack. This appears to be true for the organization’s internal network targeted by the attacks.

• In some cases, domain names may have been obtained from public servers (DNS), while information about the IP addresses associated with them appears to be stored on internal DNS servers. As a result, such information is only available when DNS requests are sent from invaded internal networks.

• In addition to the organization’s domain name and IP address, both incorporated in the malware code, Snake’s new samples are different from those identified in December 2019.

This is because they have an extensive list of file extensions (typos) that malware should encrypt. Examples include extensions for virtual drive files, Microsoft Access, source code in С / C # / ASP / JSP / PHP / JS, as well as corresponding files for projects, solutions, and other extensions that were not supported by previous samples.

For identify the signs of a Snake ransomware attack and prevent possible damage, Kaspersky ICS CERT recommends:

• Use the provided compromise indexes to identify infections on Windows workstations and servers (Check here).

• Check domain policies and scripts for malicious code.

• Search for active tasks in Windows Task Scheduler, both on workstations and on servers, to find any malicious code.

• Change passwords for all accounts in the domain administrators group.

With information from López-Dóriga Digital