Security researchers have observed samples of the new SNAKE ransomware family targeting organizations’ entire corporate networks.
Upon successful infection, the ransomware deletes the machine’s Shadow Volume Copies before terminating various processes associated with SCADA systems, network management solutions, virtual machines and other tools. It then proceeds to encrypt the machine’s files while skipping over important Windows folders and system files. As part of this process, it appends “EKANS” as a file marker along with a five-character string to the file extension of each file it encrypts.
The threat wraps up its encryption routine by dropping a ransom note entitled “Fix-Your-Files.txt” in the C:\Users\Public\Desktop folder. This ransom note instructs victims to contact “firstname.lastname@example.org” in order to purchase a decryption tool.
That’s not all the ransom note says. Bleeping Computer points this out in a blog post on SNAKE:
As you can see from the language in the ransom note, this ransomware specifically targets the entire network rather than individual workstations. They further indicate that any decryptor that is purchased will be for the network and not individual machines, but it is too soon to tell if they would make an exception.
SNAKE isn’t the first ransomware that’s directed its focus to entire corporate networks. Back in March 2019, for instance, researchers discovered a new variant of the CryptoMix Clop ransomware family that claimed to target entire networks instead of individual users’ machines. A few months later, the security community learned of a new crypto-ransomware threat called “TFlower” targeting corporate environments via exposed Remote Desktop Services (RDS).
The emergence of SNAKE ransomware highlights the need for organizations to defend themselves against a ransomware infection. They can use these recommendations to prevent a ransomware infection in the first place. They should also consider investing in a solution like Tripwire File Analyzer for the purpose of detecting suspicious files and behavior on the network.