Snake Ransomware: isolates infected systems before encrypting them

Researchers from Deep Instinct, recently discovered a new strain of it Snake ransomware, which isolates them systems contaminated so that their files can be encrypted without interference.   

In January, a new wave of attacks was targeted Companies. The SentinelOne had also discovered that Snake Ransomware targets processes and files related to industrial control systems (ICS).

Its creators ransomware, did not take any action when the coronation began to spread, however on May 4 a new operation was launched against large companies around the world.

Presumably, some of them victims Snake Ransomware is Fresenius Group, the largest hospital service provider in Europe, as well as the Japanese car industry Honda.

Snake ransomware works by stopping certain processes, including those associated with ICS, for encrypting relevant files.

However, in the latest ransomware samples, the ability to activate and deactivate protection walls has been observed, as well as the exploitation of certain commands, so that no connections can be made to system.

"Before the encryption begins, Snake will use their firewall Windows to exclude any incoming and outgoing network connections to the victim's machine that have not been configured on the firewall. The built-in Windows netsh tool will be used for this purpose, "he said research Deep Instinct. "Disconnected from the outside world, Snake will then stop the processes that may affect encryption. The list includes ICS-related procedures and several security solutions and backups. "

Ransomware stops any process that could affect encryption, including those related to industrial software, backup solutions and of course tools security. Malicious software then deletes shadow copies, preventing files from being recovered.

Once it manages to complete these actions, it then begins the encryption process. The files it targets are mainly critical folders, as well as databases, documents, extension files, and more.

Malicious software adds a random five-character string to the extension of encrypted files and the word Ekans at the end of the file.

Although the basic scenario of ransomware is to encrypt important files and require ransoms to restore them, the methods used and their creators continue to evolve over time.