Snake/EKANS Ransomware Attacks Industrial Control Systems: Acronis Stops It

Snake Ransomware Attacking ICS

Ransomware continues to be a very active, always evolving threat. One of the newest strains to emerge is Snake (also known as EKANS, which is simply “Snake” spelled backward).

First appearing at the end of December last year, the most interesting feature of Snake is that it targets industrial control systems (ICS) environments – not the individual machines, but the entire network.

The obfuscated ransomware sample, which was written in the Go programming language, was first observed in commercial malware repositories. It is designed to terminate specific processes on victim machines, including multiple items related to ICS operations, as well as delete Volume Shadow Copies to eliminate Window backups. 

While there is currently no decryption available, systems that are running Acronis Active Protection – the AI-based anti-malware defense that is integrated into our cyber protection solutions – successfully detects Snake ransomware as a zero-day attack and stops it in its tracks.

Infection process and some technical details

The point of entry for Snake is an insecure RDP configuration. It is distributed via spam and malicious attachments, but also can be delivered via botnets, exploit packs, malicious ads, web injections, fake updates, and repackaged and infected installers.

According to our analysis, when executed, Snake will remove the computer's Shadow Volume Copies and then kill numerous processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and so on. Deleting Windows backup copies is a set-up trend and expected functionality in any new ransomware.

The ransomware checks for the existence of a Mutex value “EKANS” on the victim. If present, the ransomware will stop with a message “Already encrypted!”. Otherwise, the Mutex value is set and the encryption moves forward using standard encryption library functions. Primary functionality on victim systems is achieved via Windows Management Interface (WMI) calls, which begins executing encryption operations.

Before proceeding to file encryption operations, the ransomware force stops (kills) any processes listed in a hard-coded list within the malware’s encoded strings. A full list with assessed process function or relationship is provided as follows: 

Process

Description

bluestripecollector.exe

BlueStripe Data Collector

ccflic0.exe

Proficy Licensing

ccflic4.exe

Proficy Licensing

cdm.exe

Nimsoft Related

certificateprovider.exe

Ambiguous

client.exe

Ambiguous

client64.exe

Ambiguous

collwrap.exe

BlueStripe Data Collector

config_api_service.exe

ThingWorx Industrial Connectivity Suite, Ambiguous

dsmcsvc.exe

Tivoli Storage Manager Client

epmd.exe

RabbitMQ Server (SolarWinds)

erlsrv.exe

Erlang

fnplicensingservice.exe

FLEXNet Licensing Service

hasplmv.exe

Sentinel Hasp License Manager

hdb.exe

Honeywell HMIWeb

healthservice.exe

Microsoft SCCM

ilicensesvc.exe

GE Fanuc Licensing

inet_gethost.exe

Erlang

keysvc.exe

Ambiguous

managementagenthost.exe

VMWare CAF Management Agent Service

monitoringhost.exe

Microsoft SCCM

msdtssrvr.exe

Microsoft SQL Server Integration Service

msmdsrv.exe

Microsoft SQL Server Analysis Services

musnotificationux.exe

Microsoft Update Notification Service

n.exe

Ambiguous

nimbus.exe

Broadcom Nimbus

npmdagent.exe

Microsoft OMS Agent

ntevl.exe

Nimsoft Monitor

ntservices.exe

Ambiguous

pralarmmgr.exe

Proficy Related

prcalculationmgr.exe

Proficy Historian Data Calculation Service

prconfigmgr.exe

Proficy Related

prdatabasemgr.exe

Proficy Related

premailengine.exe

Proficy Related

preventmgr.exe

Proficy Related

prftpengine.exe

Proficy Related

prgateway.exe

Proficy Secure Gateway

prlicensemgr.exe

Proficy License Server Manager

proficy administrator.exe

Proficy Related

proficyclient.exe

Proficy Related

proficypublisherservice.exe

Proficy Related

proficyserver.exe

Proficy Server

proficysts.exe

Proficy Related

prprintserver.exe

Proficy Related

prproficymgr.exe

Proficy Plant Applications

prrds.exe

Proficy Remote Data Service

prreader.exe

Proficy Historian Data Calculation Service

prrouter.exe

Proficy Related

prschedulemgr.exe

Proficy Related

prstubber.exe

Proficy Related

prsummarymgr.exe

Proficy Related

prwriter.exe

Proficy Historian Data Calculation Service

reportingservicesservice.exe

Microsoft SQL Server Reporting Service

server_eventlog.exe

Proficy Event Log Service, Ambiguous

server_runtime.exe

Proficy Related, Ambiguous

spooler.exe

Ambiguous

sqlservr.exe

Microsoft SQL Server

taskhostw.exe

Windows OS

vgauthservice.exe

VMWare Guest Authentication Service

vmacthlp.exe

VMWare Activation Helper

vmtoolsd.exe

VMWare Tools Service

win32sysinfo.exe

RabbitMQ

winvnc4.exe

WinVNC Client

workflowresttest.exe

Ambiguous

 

While encrypting files on infected machine, it will skip the ones located in Windows system folders:

  • SystemDrive

  • :\$Recycle.Bin

  • :\ProgramData

  • :\Users\All Users

  • :\Program Files

  • :\Local Settings

  • :\Boot

  • :\System Volume Information

  • :\Recovery

  • \AppData\

  • windir

It will append a random five-character string to an encrypted file extension, as well as 'EKANS' file marker. The encryption process is typically slow and, in cases of actual infection, done in non-working hours.

After finishing the encryption process, it will drop a ransom note named “Fix-Your-Files.txt”

Snake Ransomware Note

User access to the encrypted system is maintained throughout the process, and the system does not reboot, shutdown, or close remote access channels. This differentiates Snake/ EKANS from more disruptive ransomware such as the LockerGoga. The email address in the ransomware uses a privacy-focused email service similar to Protonmail, called CTemplar. 

Acronis Active Protection detects from day zero

Whereas previously ICS-specific or ICS-related malware was solely the playground of state-sponsored entities, Snake / EKANS appears to indicate that cybercriminals pursuing financial gain are now involved in this space as well. While this ransomware is still being analyzed for weaknesses, at this moment any data affected by it cannot be decrypted.

The good news is that Acronis Active Protection is able to detect Snake and stop the malicious process in real-time, while also reverting any affected files. We only can imagine how much damage can be done if this strain makes its way into industrial environments, paralyzing traffic control systems or energy plants.

Detecting Snake Ransomware

Preventing attacks of Snake ransomware