Snake ransomware, also known as Ekans, targets manufacturers. It can infect an entire network before activating, which makes it a potentially crippling form of ransomware
The alternative name for the ransomware, Ekans, is “snake,” spelled backward. Early targets of Snake were Honda and Enel Group, an Italian energy conglomerate. Sentinel Labs first identified the ransomware in January 2020. To date, ransomware has attacked targets in the USA, China, Japan, and Germany.
Snake ransomware has changed since its first attack. That incident attacked a hospital and included data theft. Then, the hackers started to release captured data, which included patient information. The disclosure of personally identifiable information (PII) is a disaster for businesses because it opens them to prosecution and litigation.
After that hospital attack, the hackers turned to industrial targets and stopped seeking PII to publish.
How does Snake ransomware get onto a computer?
Snake ransomware gets access to one endpoint on a network using remote desktop protocol (RDP). This system enables people to view their office computers from a different location over the internet. RDP is also used by the help desk and system maintenance technicians to access computers for investigation and problem-solving.
RDP can be shut down on a computer, thus closing its port and making it invulnerable to Snake ransomware. As a result, many businesses need to use RDP. However, in these cases, RDP access should be password protected with a complex password.
Not every system administrator realizes that RDP ports are open on their systems. This situation can sometimes be created by software packages when they are installed. In these automatic RDP setups, the access to RDP is either unprotected or with a commonly-used password, such as password or 12345.
Snake knows about these weak passwords and works through a dictionary of possible values. Then, it will research all of the other devices on the network and spread, using RDP again when it gets into one device.
Snake ransomware attacks have not been widespread. This indicates that the attack victim selection is not incidental or automated. That is, this system doesn’t just pass around the world hoping to gain access to any system. Businesses are targeted, and the initial access is probably implemented manually as an intrusion. The package for the ransomware is probably loaded onto at least one target on the victim network manually. Snake ransomware doesn’t need Administrator privileges, but if it is possible to break into an account with elevated privileges, it will use it.
What happens in a Snake ransomware attack?
Snake is looking for industrial applications that use a protocol called SCADA. Supervisory Control and Data Acquisition is used to control industrial equipment, check on sensors, control fluid processing, and operate electricity controls in substations. Rather than directly controlling those industrial devices, the Snake ransomware seeks to encrypt the control instructions by encrypting them.
When Snake ransomware identifies an industrial control system (ICS) running on an endpoint, it kills all monitoring and AV processes. It will also destroy all remote management systems and operating communications with shopfloor equipment. In addition, it terminates VM processes and most other network-related software.
The Snake ransomware isolates the device or the entire network by altering firewall rules to block all traffic except its own. Snake next deletes all shadow copies of files. These are the files created by the Autosave function in many applications.
The Snake encryption process
Once the initial preparation phase has been completed, Snake ransomware begins its encryption process. The targets for encryption are all data files. Executables and system files are not touched, so the computer will still be fully functional.
As each file is encrypted, the contents are saved with the original name to overwrite the stored file and make it unrecoverable. The file name is then changed with the step staying the same, but a random five-character string supplements the extension. So, for example, A4702.txt would become A4702.txtDfreG.
Snake ransomware generates a new encryption key for each file. It uses AES-256 encryption. An attack can result in many keys, which all need to be stored along with the original file names to be decrypted eventually. This information is written to a file. At the end of the encryption phase, the reference file is encrypted by an RSA-2048 cipher. The ransomware also appends the charters EKANS to the end of the file’s contents.
The encryption strategy for the Snake ransomware means that you could reverse the encryption if you could get into that file with the list of all of the AES encryption keys used during the attack. But, unfortunately, that file itself is encrypted.
You might be able to identify the encryption key for the RSA encryption. However, this will do you no good because the RSA system requires a key that is different from the encryption key to decrypt files. It isn’t possible to crack RSA-2048 keys through brute force. Therefore, you have two options after a Snake ransomware attack: pay the ransom or delete all encrypted files and restore from backup.
The Snake ransom
RSA encryption requires two keys: a public key for encryption and a private key for decryption. An exciting feature of Snake ransomware is that it doesn’t need the victim to pass a reference number to the hackers when negotiating the ransom. However, many hackers use RSA encryption for ransomware. The attack program either generates a reference number or shows the encryption key in the ransom note and tells the victim to copy this into communication with the hacker.
By using the public key as a reference, the hackers can reference the associated decryption key. Snake ransomware doesn’t require that. This shows that Snake is a very low volume targeted attack system. The hackers don’t expect their attack software to be propagating around the world, infecting systems opportunistically. They know exactly who is currently infected, and they are waiting to hear from someone from that one company. That’s why they don’t need a reference number.
The ransom note is left as a text file on the text file, called Fix-Your-Files.txt. The ransom note reads:
| What happened to your files?
---------------
We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos, and more -
all were encrypted using military-grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now. But don’t worry!
You can still get those files back and be up and running again in no time.
---------------
| How to contact us to get your files back?
---------------
The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network.
Once run on an affected computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, preferably with
better cybersecurity in mind. If you are interested in purchasing the decryption tool, contact us at bapcocrypt@ctemplar.com.
---------------
| How can you be sure we have the decryption tool?
---------------
In your mail to us, attach up to 3 files (up to 3MB, no databases or spreadsheets).
We will send them back to you decrypted.
The good news is that all industrial targets of Snake ransomware recovered from the attacks unscathed. None have admitted to paying the ransom.
Preventing Snake ransomware attacks
Step one in protecting your system from attack by Snake ransomware is to close all RDP ports. If you do need them to be open for remote operations, ensure that they are password protected. Industrial applications tend to be less security conscious than office systems. Suppose you run an automated manufacturing system that relies on unprotected RDP ports or RDP access with bog-standard passwords. In that case, you need to persuade your system provider to close up that weakness quickly or consider switching software.
Your second line of defense lies in tight account control and activity tracking. You should back up your manufacturing command files regularly. One benefit of industrial systems is that designs and machine instructions don’t change very frequently.
Ensure that you use backup management software that scans all files for malware infection before they are uploaded.
Tools for protection against Snake ransomware
When protecting against any ransomware attack, your key strategies need to be tight user account monitoring and a robust backup strategy. Here are three systems that you should look into to protect your system against Snake ransomware and all malicious activity.
1. CrowdStrike Falcon Insight (FREE TRIAL)
CrowdStrike Falcon Insight uses AI processes to monitor user account activity on endpoints and look for unexpected events on the endpoints. This machine learning strategy is called user and entity behavior analytics (UEBA) and is a key attribute of a next-generation antivirus system.
Each device on your system will have a unit called Falcon Prevent installed on it. In addition, a coordinating module in the cloud, You should look into three systems the heart of the Falcon Insight system, which provides threat intelligence to the endpoint monitors.
This system can work even when all communications with the cloud controller get blocked by the Snake ransomware. The agent will identify the pre-attack activities of Snake ransomware, suspend the accounts that it has accessed, isolate the device from the network, and kill the ransomware processes.
You can get a 15-day free trial of Falcon Insight.
2. ManageEngine Log360
ManageEngine Log360 is a threat intelligence platform that is an ideal defense against the intruder-driven attacks of Snake ransomware. This system includes a threat intelligence feed, and ManageEngine already knows how Snake ransomware operates so that the service will spot attacks easily. In addition, log360 functions as a SIEM, checking through log files for indicators of compromise.
As well as gathering log files, this system pays close attention to Active Directory and the user account structure. The tool also covers cloud systems provided by AWS, Azure, and Exchange Online. Log360 also monitors and interacts with firewalls, so it will prevent the network isolation routine of Snake ransomware from happening.
Any of the typical events of Snake ransomware will trigger a search for subsequent actions. Snake uses a set of procedures, but because the attacks are usually very customized and manually implemented, those attack tools can get triggered in any order. Log360 is ready for that.
Log360 is a software package that runs on Windows and Windows Server, and you can get a 30-day free trial of the tool. There is a permanently free version available that is limited to collecting log data from just five sources. The free trial is of the full version of Log360.
3. BitDefender GravityZone
BitDefender GravityZone is a comprehensive package of security tools. It covers just about every aspect of system security that needs to be monitored to prevent a Snake ransomware attack. In addition, the package includes malware checks at many different points on the system, not just on endpoints.
GravityZone includes a vulnerability manager that will spot issues such as insecure ports and looking for out-of-date software versions. In addition, the bundle consists of a file integrity monitor that will trigger an alert as soon as encryption begins. However, all of the other firebreaks in the GravityZone package mean that Snake ransomware will never get that far into its attack cycle.
An essential module in the GravityZone package is its backup management system. Not only does this ensure that all of your files are available for recovery, but it pre-scans all files for malware infection before uploading them. This tool puts you in an excellent position for recovering from any ransomware attack without having to pay the ransom.
GravityZone runs as a virtual appliance, and it is available for a one-month free trial.
L’article What is Snake Ransomware & How to Protect Against It? est apparu en premier sur Comparitech.
0 Commentaires