Acronis Cyber Protect
formerly Acronis Cyber Backup

Ransomware continues to be a very active, always evolving threat. One of the newest strains to emerge is Snake (also known as EKANS, which is simply “Snake” spelled backward).

First appearing at the end of December last year, the most interesting feature of Snake is that it targets industrial control systems (ICS) environments – not the individual machines, but the entire network.

The obfuscated ransomware sample, which was written in the Go programming language, was first observed in commercial malware repositories. It is designed to terminate specific processes on victim machines, including multiple items related to ICS operations, as well as delete Volume Shadow Copies to eliminate Window backups. 

While there is currently no decryption available, systems that are running Acronis Active Protection – the AI-based anti-malware defense that is integrated into our cyber protection solutions – successfully detects Snake ransomware as a zero-day attack and stops it in its tracks.

Infection process and some technical details

The point of entry for Snake is an insecure RDP configuration. It is distributed via spam and malicious attachments, but also can be delivered via botnets, exploit packs, malicious ads, web injections, fake updates, and repackaged and infected installers.

According to our analysis, when executed, Snake will remove the computer's Shadow Volume Copies and then kill numerous processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and so on. Deleting Windows backup copies is a set-up trend and expected functionality in any new ransomware.

The ransomware checks for the existence of a Mutex value “EKANS” on the victim. If present, the ransomware will stop with a message “Already encrypted!”. Otherwise, the Mutex value is set and the encryption moves forward using standard encryption library functions. Primary functionality on victim systems is achieved via Windows Management Interface (WMI) calls, which begins executing encryption operations.

Before proceeding to file encryption operations, the ransomware force stops (kills) any processes listed in a hard-coded list within the malware’s encoded strings. A full list with assessed process function or relationship is provided as follows: 

Process
Description
bluestripecollector.exe
BlueStripe Data Collector
ccflic0.exe
Proficy Licensing
ccflic4.exe
Proficy Licensing
cdm.exe
Nimsoft Related
certificateprovider.exe
Ambiguous
client.exe
Ambiguous
client64.exe
Ambiguous
collwrap.exe
BlueStripe Data Collector
config_api_service.exe
ThingWorx Industrial Connectivity Suite, Ambiguous
dsmcsvc.exe
Tivoli Storage Manager Client
epmd.exe
RabbitMQ Server (SolarWinds)
erlsrv.exe
Erlang
fnplicensingservice.exe
FLEXNet Licensing Service
hasplmv.exe
Sentinel Hasp License Manager
hdb.exe
Honeywell HMIWeb
healthservice.exe
Microsoft SCCM
ilicensesvc.exe
GE Fanuc Licensing
inet_gethost.exe
Erlang
keysvc.exe
Ambiguous
managementagenthost.exe
VMWare CAF Management Agent Service
monitoringhost.exe
Microsoft SCCM
msdtssrvr.exe
Microsoft SQL Server Integration Service
msmdsrv.exe
Microsoft SQL Server Analysis Services
musnotificationux.exe
Microsoft Update Notification Service
n.exe
Ambiguous
nimbus.exe
Broadcom Nimbus
npmdagent.exe
Microsoft OMS Agent
ntevl.exe
Nimsoft Monitor
ntservices.exe
Ambiguous
pralarmmgr.exe
Proficy Related
prcalculationmgr.exe
Proficy Historian Data Calculation Service
prconfigmgr.exe
Proficy Related
prdatabasemgr.exe
Proficy Related
premailengine.exe
Proficy Related
preventmgr.exe
Proficy Related
prftpengine.exe
Proficy Related
prgateway.exe
Proficy Secure Gateway
prlicensemgr.exe
Proficy License Server Manager
proficy administrator.exe
Proficy Related
proficyclient.exe
Proficy Related
proficypublisherservice.exe
Proficy Related
proficyserver.exe
Proficy Server
proficysts.exe
Proficy Related
prprintserver.exe
Proficy Related
prproficymgr.exe
Proficy Plant Applications
prrds.exe
Proficy Remote Data Service
prreader.exe
Proficy Historian Data Calculation Service
prrouter.exe
Proficy Related
prschedulemgr.exe
Proficy Related
prstubber.exe
Proficy Related
prsummarymgr.exe
Proficy Related
prwriter.exe
Proficy Historian Data Calculation Service
reportingservicesservice.exe
Microsoft SQL Server Reporting Service
server_eventlog.exe
Proficy Event Log Service, Ambiguous
server_runtime.exe
Proficy Related, Ambiguous
spooler.exe
Ambiguous
sqlservr.exe
Microsoft SQL Server
taskhostw.exe
Windows OS
vgauthservice.exe
VMWare Guest Authentication Service
vmacthlp.exe
VMWare Activation Helper
vmtoolsd.exe
VMWare Tools Service
win32sysinfo.exe
RabbitMQ
winvnc4.exe
WinVNC Client
workflowresttest.exe
Ambiguous

While encrypting files on infected machine, it will skip the ones located in Windows system folders:

SystemDrive :\$Recycle.Bin :\ProgramData :\Users\All Users :\Program Files :\Local Settings :\Boot :\System Volume Information :\Recovery \AppData\

  • windir

It will append a random five-character string to an encrypted file extension, as well as 'EKANS' file marker. The encryption process is typically slow and, in cases of actual infection, done in non-working hours.

After finishing the encryption process, it will drop a ransom note named “Fix-Your-Files.txt”

Acronis
Snake Ransomware Note

User access to the encrypted system is maintained throughout the process, and the system does not reboot, shutdown, or close remote access channels. This differentiates Snake/ EKANS from more disruptive ransomware such as the LockerGoga. The email address in the ransomware uses a privacy-focused email service similar to Protonmail, called CTemplar. 

Acronis Active Protection detects from day zero

Whereas previously ICS-specific or ICS-related malware was solely the playground of state-sponsored entities, Snake / EKANS appears to indicate that cybercriminals pursuing financial gain are now involved in this space as well. While this ransomware is still being analyzed for weaknesses, at this moment any data affected by it cannot be decrypted.

The good news is that Acronis Active Protection is able to detect Snake and stop the malicious process in real-time, while also reverting any affected files. We only can imagine how much damage can be done if this strain makes its way into industrial environments, paralyzing traffic control systems or energy plants.

Acronis
Detecting Snake Ransomware
Acronis
Preventing attackes of Snake ransomware
Acronis
Author
Alexander Ivanyuk
Senior Director, Technology
Alexander joined Acronis in 2016 as Global Director, Product and Technology Positioning. At this role Alexander is directly involved into all product launches in terms of messaging, go-to-market strategy and overall positioning including partner relations.

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.

More from Acronis