Information security experts first discovered the Snake ransomware (aka EKANS) in January 2020, and Deep Instinct researchers now said that Snake isolates Windows-based systems before encryption.
In months since the discovery, Snake Ransomware has become a very common threat to industrial control systems (ICS), as the malware is focused on processes, specific to these environments.For example, last month it was reported that Honda had suffered from the attack of this ransomware. Also Europe’s largest private hospital operator Fresenius was attacked with Snake ransomware.
One of the features of Snake is the elimination of processes from a predefined list, including ICS related processes”, – according to information security experts.
It is also known that the malware usually steals company data before encrypting files, and then ransomware operators demand a ransom for this information. In this mode operates, for example, Maze Cartel.
Now, Deep Instinct experts have talked about another interesting feature of the encryptor. It turned out that the malware carefully isolates the infected machines so that no one interferes with the file encryption process. To do this, Snake developers “taught” their malware to enable and disable the firewall and use special commands to block unwanted connections to the system.
Before starting encryption, Snake uses the Windows firewall to block any incoming or outgoing network connections to the victim’s computer that are not listed in the firewall settings. For this purpose is used the netsh tool built into Windows,” — write the experts.
Additionally, the malware searches for processes that can interfere with the encryption process, and eliminates them. This applies to industrial application processes, security tools, and backup solutions. Snake also removes shadow copies to make data recovery more difficult.
Fortinet experts, who recently also presented their own Snake report, note that after completing encryption, the malware usually disables the firewall. In addition, Fortinet researchers drew attention to the fact that the ransomware prefers to attack domain controllers, which are targeted at the network after the initial infection. For these purposes, Snake uses WMI queries and defines the roles of various machines in the network.
Fortinet warns that if the domain controller is compromised, Snake is able to influence authentication requests in the network domain, which can seriously affect users.
