Skip to content
Naked Security Naked Security

Snake alert! This ransomware is not a game…

Looks like the Snake ransomware was created especially for network-wide attacks.

Here’s some goodish news: the Snake ransomware seems to have made the news last week on account of its name rather than its prevalence.
Because, well, SNAKE!
Like most ransomware, Snake doesn’t touch your operating system files and programs, so your computer will still boot up, log in, and let you open your favourite apps, so that in purely technical terms you have a working system…
…but all your important data files, such as documents, spreadsheets, photos, videos, music, tax returns, business plans, accounts payable and accounts receivable, are scrambled with a randomly chosen encryption key.
Scrambled files consist of the encrypted content written back over the original data, with decryption information added at the end:

Decryption metadata plus the text EKANS (SNAKE backwards) is added at the end of encrypted files.

The original filename and directory are recorded, the decryption key is stored too, and the special tag EKANS, which is SNAKE written backwards, finishes off the encrypted file.
Note that the decryption key for each file is itself encrypted using public-key encryption, which is a special sort of encryption algorithm in which there are two keys, rather than one, so that the key used to lock data can’t be used to unlock it.
The key used for locking data is called the public key, because you can reveal it to anyone; the unlocking key is called the private key, because as long as you keep it private, you’re the only one who can later unlock the encrypted data.
Most modern ransomware uses this sort of hybrid encryption system.
The malware generates a random key to encrypt the file, using what’s called a symmetric or secret-key encryption algorithm where the same key both locks and unlocks; then uses a public key to lock up the random key.
To decrypt the file, you need the private key to unlock the symmetric key; then the symmetric key to unlock the file.

Why not just use public key cryptography alone to lock and unlock the file? Why the extra complexity of generating a random secret key to lock the data and then using a public key to lock the secret key? The answer is that symmetric crypto is ideally suited for scrambling large amounts of data, but public key crypto is much slower and suited only for scrambling small amounts of data at a time. Thus you use fast encryption to deal with whole files, followed by slow encryption to keep the secret key safe for the fast decryption safe.

Why Snake?

But why the Snake part?
Why add the EKANS marker, unencrypted, at the end of every encrypted file?
We assume that the crooks behind the ransomware did this as an easy way of identifying an encrypted file if you decide to pay up and buy back the decryption key from them.
Most ransomware denotes scrambled files by adding a unusual extension to filenames so they stand out.
Sometimes this special extension adds ironic insult to injury, as in the case of the infamous SamSam ransomware, which added the truthless text .weapologize to the end of all your scrambled files.
But the Snake malware adds a different, randomly chosen string of characters to the names of encrypted files, so that they can’t reliably be picked out by name alone:

Extract from a log of files scrambled by the Snake. Each one gets renamed differently (red text).

Once it’s scrambled your data, Snake dumps a “What happened to your files?” document on your desktop:
The “What happened to your files?” document dropped by the Snake.

This malware actually writes this file, called Fix-Your-Files.txt, into what Windows calls the ‘public desktop’, usually in the directory C:\Users\Public, where it shows up in the background for every user on the system.
If the malware isn’t run with administrator privileges, then although it will be able to overwrite all your files, it won’t be able to write to the Public folder, and will end up in a special folder called \Users\[yourname]\AppData\Local\VirtualStore, where you’re likely to miss it.
We think these crooks expect to have administrator access across a compromised network to inflict maximum damage, and have programmed their malware on that basis.
As the “What happened to your files?” document itself says:

We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more.

So here’s the bad news to counter the goodish news we started with: the crooks behind this ransomware don’t intend to target individual users on your network, but instead take their time and go after everyone, for a more shocking effect.

What to do

  • Don’t run unexpected attachments. The crooks probably won’t send you the ransomware directly, but they will try to trick you into running remote access malware that lets them get back in later so they can attack from right inside your network.
  • Don’t open up remote access to your network unless you really mean to. Lots of ransomware attacks start because remote access systems such as RDP (remote desktop protocol) were open unexpectedly, and therefore hadn’t been secured properly.
  • Don’t ignore warning signs in your security logs. Modern ransomware attackers usually spend hours, or even days, scoping out your network so they can scramble as many computers as possible to demand a bigger payout. If you spot them first, you many be able to head them off entirely.
  • Don’t let users talk you into softening up login security. Features such as 2FA, where you need to copy a one-time code off your phone every time you login, add a tiny inconvenience for users compared to the extra difficulty they add for attackers.
  • Don’t rely entirely on real-time, online backups. Most contemporary attackers search out and delete any online backups they can find, making it harder to recover without paying. Backups locked away in an old-school safe can’t be reached across your network!

Sophos products detect and block this malware as Troj/Ransom-FUJ.


8 Comments

Should be easy to trace the crooks – they work in IT and don’t know the difference between “effected” and “affected”

@Davet99
Grammatical mistakes typically flash “neon” to me as well, but I hesitate to concur with the implication correlating IT folks with impeccable grammar.
True, while there are some brilliant minds working the field† and there’s sure to be some Venn diagram overlap, I’m unconvinced that coding or administrative skills necessarily translate to linguistic prowess. In 2020 one might be tempted to blame autocorrect or suggested replies for conflating “affect” with “effect.”
However in 2000-2004 I burned many hours on Slashdot, where thousands of instances had me “grading papers,” mentally consuming entire red pens as I scanned those pages.†† Those days didn’t have much “second-guess” software beyond spellcheck, and web browsers wouldn’t suggest “discrete” for “discreet.” I doubt they will even now–though plugins likely exist for that.
I’ve long held the opinion that skills in tech bear more similarity to mathematics, and reading Slashdot (even NakedSecurity, though less so) reminded me of former classmates who’d say “I’m great in English but terrible in math,” or vice versa. Someone excelling in both feels rare to me.
† (I’ve also worked with some absolute dolts, though many jumped into the DotCom bubble’s promise of quick cash–then popped right back out when it burst)
†† Ah, Slashdot… so tragically bereft of semicolons and proper consideration for
(your/you're|there/their/they're|to/two/too)

I am astonished (actually, by now it’s more like aggravated) how frequently iOS changes “its” to “it’s”, even though that is a mistake I probably make fewer than 1 in every 1000 times. I’ve occasionally tested it out to see if it would at least save my bacon if I made the mistake the other way around…
…nope.

Hah. Dad and I have a playful rivalry between iOS and Android: “well ya shoulda got an iPhone. Oh wait…”
I’ve performed the same experiment during bouts of the same aggravation. If it’s any consolation, Android has not fared any better.
Seems lately the most frequent offender is “your.”
No, dear phone; I did NOT mean “let me know when your going to be home.”

I should amend that, as I unintentionally reversed it–mildly hypocritical and strangely amusing, given my intent:
No dear phone; I did not mean “please check you’re email.”

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?