Despite rearing its ugly, slithery head all the way back in January, the infamous Snake ransomware continues to be a major burden for businesses. With organisations more dependent on their IT systems to keep their businesses running and enable staff to work remotely, it’s time to cut the head off this malicious IT infection and get back to work.
While more familiar than most to the threat of actual snakes, the Snake ransomware has raised concerns for industrial control system (ICS) operators. These teams are essential to keeping the digital heartbeat of companies in a range of industries such as mining, utilities and manufacturing thumping.
Snake aims to extort its victims through encrypting their files, leaving organisations with little option than to pay the hackers to free systems up again. First discovered in January 2020, the ransomware is similar to MegaCortex, which spread in 2019.
Since day one, Nozomi Networks Labs have been actively monitoring and analysing information from key industry sources to stay ahead of Snake and we’ve added Snake ransomware signatures to our Threat Intelligence repository.
About the author
Michael Bailie is Manager Solutions Delivery and Projects (APAC) for industrial cyber security and operational technology specialist Nozomi Networks.
The ransomware uses obfuscation – meaning processes typically found in ICS environments are killed before encryption begins – to make analysis difficult.
Interestingly, we found that Snake doesn’t attempt to spread, but instead relies on manual propagation. Routes to infect include malicious email attachments and the exploitation of unpatched or poorly secured services. Emails in particular are getting more and more sophisticated and many cybercriminals can successfully mimic company CEOs’ emails, often prompting a quick response from staff ironically looking to impress or not disappoint the boss.
Using a Snake sample, we discovered that the ransomware contained strings related to processes often found in ICS environments. Upon further investigation, we discovered that the ransomware can kill a number of processes and then attempt to encrypt any accessible files.
An ongoing threat
Why Snake is still running riot is simple: no system patching, therefore no peace and quiet. As Snake attacks from deep in the ICS environment, patching is expensive and many organisations are holding off on it until an upgrade is required.
While the reasons for this are understandable – cost and complexity – businesses may need to consider the relatively new world of uncertainty into which we’ve been cast. Over the past few months we’ve seen extreme weather at both ends of the spectrum wreak havoc on the country, while more recently the novel coronavirus / COVID-19 outbreak has ground many businesses to a halt, causing shutdowns and forcing staff to work remotely.
Calculations indicate the outbreak will erase $34 billion from the economy, and many businesses are already feeling the impact with staff unable to travel, events being cancelled and important trade routes closed off.
Fortunately, technology such as virtual conferencing and virtual desktop software is enabling many businesses to keep running during these uncertain times. But the increased reliance on this technology heightens the importance of having your cybersecurity house in order to ensure critical infrastructure is protected from ransomware attacks like Snake.
The cost of downtime and cybercriminal activity is already incredibly high, and threat actors know this. Once infected by ransomware, you’re left with little choice than to pay up. If cybercriminals know just how costly it is for your systems to go down, you can bet their price will rise. And realistically, you’ll pay it too.
Keeping the Snake at bay
The aggressive nature of Snake means it’s essential to have multiple controls in place to detect and prevent it.
Now more than ever, businesses need to take the threat seriously and ensure they are following general security guidelines, particularly around the following:
- Mail content scanning and filtering
- Security awareness across the organisation to avoid falling victim to phishing
- Applying a health-check to network infrastructure, ensuring correct network segregation and firewall policies are in place
- Making sure all devices and services are patched, despite the costs and complexity (things will get a whole lot more costly and complex if you suffer an attack)
- Implement a resilient backup policy that will support fast access to impacted files
Training is always vital with this kind of ransomware, and cybersecurity in general, so businesses need to incorporate continuous security awareness training for employees and personnel to help them better identify fake and malicious emails.
On top of the usual spam filters and firewalls, we recommend using anomaly detection technology inside ICS environments to identify unusual behaviour, as well as traditional threat detection capabilities to provide additional context and visibility around potential threat actors.
Staying connected is key for any business, and failure to protect and gain true visibility over your environment is a sure-fire way to feel the wrath of Snake or other cyber-attacks. Don’t add to the woes already being felt by businesses by neglecting this.