The Snake ransomware (aka EKANS) was first discovered by information security specialists in January 2020, and over the past months has become a very common threat to industrial control systems (ICS), since the malware is focused on processes specific to these environments. For example, last month it was reported that Honda had suffered from the attack of this ransomware.
One of the features of Snake is the elimination of processes from a pre-prepared list, including processes related to ICS. It is also known that the malware usually steals company data before encrypting files, and then ransomware operators demand a ransom for this information.
Now the company experts Deep instinct talked about another interesting feature of the encryptor. It turned out that the malware carefully isolates the infected machines so that no one interferes with the file encryption process. To do this, Snake developers “taught” their malware to enable and disable the firewall and use special commands to block unwanted connections to the system.
“Before starting encryption, Snake uses the Windows firewall to block any incoming or outgoing network connections to the victim’s computer that are not listed in the firewall settings. For this purpose, the netsh tool built into Windows is used, ”experts write.
Also, the malware searches for processes that can interfere with the encryption process, and eliminates them. This applies to industrial application processes, security tools, and backup solutions. Snake also removes shadow copies to make data recovery more difficult.
Fortinet experts who recently also introduced their own snake report, note that after completing encryption, the malware usually disables the firewall. In addition, Fortinet researchers drew attention to the fact that the ransomware prefers to attack domain controllers, which are targeted on the network after the initial infection. For these purposes, Snake uses WMI queries and defines the roles of various machines on the network.
Fortinet warns that if the domain controller is compromised, Snake is able to influence authentication requests in the network domain, which can seriously affect users.