Add yet another malicious encryption program to the expanding ranks of ransomware programs that target large enterprise networks in hopes of scoring big financial payoffs.
The latest such threat is called Snake, a ransomware program written in the Go programming language, with an unusually high level of obfuscation. It was discovered by researchers at MalwareHunterTeam; analyzed by Vitali Kremez, head of SentinelLabs at SentinelOne; and reported by BleepingComputer.
As Snake encrypts each network file, it reportedly appends a random five-character string to the extension, and then within each file it appends the file marker “EKANS” (SNAKE spelled backwards). Certain Windows system folders and system files are ignored by the ransomware, including windir, SystemDrive, :$Recycle.Bin, :ProgramData, :UsersAll Users, :Program Files, :Local Settings, :Boot, :System Volume Information, :Recovery and AppData.
Before the encryption begins, it removes shadow copies to thwart recovery efforts, and “kills numerous process related to related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software and more,” wrote BleepingComputer creator Lawrence Abrams in a Jan. 8 report.
The ransom note, named Fix-Your-Files.txt and found in the desktop folder, provides the victim with an email address to contact for payment instructions. It also says the victim can attach up to three files, 3 MB in size or less, for the attackers to decrypt, as supposed proof that the files can be recovered.
“What happened to your files? We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more – all were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now,” the note states. “The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network. Once run on an effected [sic] computer, the tool will decrypt all encrypted files – and you can resume day-to-day operations, preferably with better cyber security in mind,” it continues.
“The ransomware contains a level of routine obfuscation not previously and typically seen coupled with the targeted approach,” Kremez, Head of SentinelLabs, told BleepingComputer in a conversation.