• News
  • Security
  • Products
  • About Seqrite
Blogs on Information Technology, Network & Cybersecurity | Seqrite Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Cybersecurity • Encryption • Malware • Ransomware • Security  /  Snake Ransomware brings impending doom to enterprise networks
Snake Ransomware brings impending doom to enterprise networks
10 July 2020

Snake Ransomware brings impending doom to enterprise networks

Written by Preksha Saxena
Preksha Saxena
Cybersecurity, Encryption, Malware, Ransomware, Security

New targeted ransomware called SNAKE or EKANS was found in early January. Malware is written in the Go language and it is heavily obfuscated and goes after ICS environments. Snake Ransomware seems to be distributed via a focused and targeted campaign that concentrates exclusively on targeting business enterprise networks — it uses AES and RSA for encryption. Upon infection, relevant files are overwritten with encrypted data. Each modified file is also tagged with the string “EKANS” at the end of the file.

Malware includes a check for a hardcoded internal system name and public IP addresses, In Our case it is related to Honda Company. It exits immediately if DNS queries to an internal domain belonging to Honda are not resolved.

Technical Analysis:
The file is a PE32 executable for MS Windows and has “.symtab” section with fewer imports which indicates that file is written & compiled in Go language.

Fig 1: Section Names

 

Various strings are found which confirms that the binary is compiled in Go language. Below is the Go build Id.

Fig 2: GO build ID

 

The malware starts requesting a DNS resolution of “MDS.HONDA.COM”. Honda is recently hit by a ransomware cyber-attack on its technology systems. So it seems this sample is the one used to compromise Honda’s site.

Figure 3: DNS resolution of MDS.HONDA.COM

 

Malware resolves “MDS.HONDA.COM” to the associated IP address, it also contains a reference to the US IP address 170.108.71.15, which resolves to the ‘unspec170108.amerhonda.com‘ hostname. If the DNS resolution fails, then the malware will abort its execution.

When the malware finds that domain name has been resolved then it changes the firewall settings by sending a command to netsh.exe (networking tool). The command passed is:

“Netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound”.

This command will block all incoming and outgoing connections for all profiles that do not match the in and out rules using the Windows firewall function.

Fig 4: Command used for changing firewall setting

Malware uses below algorithm to decrypt all strings which are used during the execution of malware, however, each encrypted data uses a different XOR key.

The below decryption loop decrypt RSA public key, which will be used to encrypt each of the AES keys used to encrypt the files.

Fig 5: Decryption Loop

Decompiled code for the algorithm is given as below.

Fig 7: Decompiled decryption loop

 

Malware checks for the presence of the Mutex named “EKANS”. If present, the ransomware will stop its execution and it will not infect the systems. Otherwise, the mutex is created and the infection moves forward.

It contains a hard-coded process and service list which is present as encrypted strings of the malware. If any of the services are running in the victim system, the ransomware will stop the service. Also, if any processes are running in the system it kills the processes using the function TerminateProcess(). Some of the process names are given below.

Fig 7: Some process names which are decrypted by malware

 

Malware will remove all Volume Shadow Copy backups found on the system. Malware skips some extensions of the file from encryption. Some of those are mentioned below:

.sys  .mui   .tmp   .lnk   .config   .tlb   .olb   .blf   .ico   .manifest   .bat   .cmd   .ps1  etc

Some of the extensions which are mentioned below are decrypted by the malware although these are not used while encryption.

Fig 9: Extensions mentioned in File
Fig 9: Extensions mentioned in File

The encryption process of snake is a mix of symmetric and asymmetric cryptography which includes AES-256 and RSA-2048. A symmetric key is required for encrypting and decrypting of files. This Symmetric key is encrypted with the attacker’s public key. Decryption is only possible with the attacker’s private key. So, this makes decryption difficult or impossible for security vendors.

Malware uses AES CTR mode for encryption of the file with a 0x20 bytes random key and a random IV of 0x10 bytes. RSA public key is hardcoded in the file. After encryption malware appends “EKANS” marker at the end. EKANS is reverse of SNAKE.

Fig 9: Encrypted file with EKANS marker

 

After encrypting all the files, malware renames each encrypted file. It appends a random 5-character string to the file’s extension. Extensions are ransom so it makes it difficult to identify the ransomware through extensions. Below is the image which shows the renaming of files by the snake ransomware.

Fig 11: Files before and after encryption

 

Conclusion

Ransomware has become a perpetual threat for individual users and businesses too. Once it encrypts any files, it is very difficult to decrypt the data. Given the extent of the damage any ransomware can do to your data, you must follow the recommended security measures mentioned below.

  • Use a multi-layered antivirus that can stop real-time threats.
  • Keep your antivirus up to date.
  • Update your Operating System regularly as critical patches are released every day.
  • Keep your software up to date.
  • Never directly connect remote systems to the Internet.
  • Do not click on links or download attachments in emails received from unknown sources.
  • Take regular data backup and keep it in a secure location.
  • Audit gateway system & check for misconfiguration.

Seqrite products are equipped with multilayered detection technologies like IDS/IPS, DNA Scan, Email Scan, BDS, Web Protection and Patented Anti Ransomware detection. This multi-layered security approach helps us in protecting our customers against these type of Ransomware and other known, unknown threats efficiently.

Indicator of Compromise

 d4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1

 Previous PostOperation ‘Honey Trap’: APT36 Targets Defence Organizations i...
Next Post  Hackers steal e-commerce databases, demand Bitcoin as ransom.
Preksha Saxena

About Preksha Saxena

Preksha is a security researcher at Quick Heal Security Labs and has 6 years of experience in the cyber security domain. She is interested in reverse engineering...

Articles by Preksha Saxena »

Related Posts

  • ZTNA Use Cases and Benefits for BFSI

    May 19, 2025
  • Market Guide for Choosing the Right ZTNA Solution

    May 14, 2025
  • Protect What Matters Most with Data Discovery and Classification

    May 12, 2025
Featured Authors
  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director of Quick Heal Technologies...

    Read more..
  • Mahua Chakrabarthy
    Mahua Chakrabarthy

    A tea connoisseur who firmly believes that life is too short for dull content....

    Read more..
Topics
apt (19) Cyber-attack (35) cyber-attacks (58) cyberattack (16) cyberattacks (13) Cybersecurity (322) cyber security (31) Cyber threat (33) cyber threats (48) Data (11) data breach (55) data breaches (28) data loss (28) data loss prevention (34) data privacy (11) data protection (24) data security (15) DLP (49) Encryption (16) endpoint security (107) Enterprise security (17) Exploit (14) firewall (11) GDPR (12) hackers (11) malware (76) malware attack (23) malware attacks (12) MDM (25) Microsoft (15) Network security (22) Patch Management (12) phishing (27) Ransomware (67) ransomware attack (30) ransomware attacks (30) ransomware protection (13) security (11) Seqrite (33) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (16) windows (11)
Loading
Resources
  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies
About Us
  • About Seqrite
  • Leadership
  • Awards & Certifications
  • Newsroom
Archives
  • By Date
  • By Category
Loading

© 2025 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies