Is your ICS being targeted? How to identify whether your organization is being lined-up for a Snake ransomware attack

Published: Tuesday, 30 June 2020 07:57

According to research by Kaspersky ICS CERT experts a number of industrial companies are currently experiencing targeted attacks involving the Snake encryption ransomware. This article explains how to identify whether your organization is being lined-up for an attack.

On June 8th 2020 issues were reported which affected the computer networks of Honda, a Japanese motorcycle and auto manufacturer, in Europe and Japan. Specifically, it was announced that Honda Customer Service and Honda Financial Services were experiencing technical difficulties. Information security experts believe that, in all likelihood, one of the company’s servers was infected with Snake (EKANS) ransomware.

A sample of the Snake malware discovered by some researchers on VirusTotal checked for Honda’s domain name, “mds.honda.com” (which is probably used on the company’s internal network). If the domain name cannot be resolved (i.e., if the corresponding IP address cannot be determined), the ransomware terminates without encrypting any files. According to the researchers, this could indicate that the attackers’ activity is targeted.

Kaspersky ICS CERT experts used their own telemetry data to identify other samples that were similar to the sample uploaded to VirusTotal.

Based on the findings of the research:

The results of the research clearly indicates that the attackers carry out multistage hacker attacks, each attack targeting a specific organisation. Encrypting files using Snake is the final stage of these attacks.

Each Snake sample was apparently compiled after the attackers had gained the knowledge of the relevant domain name and its associated IP address on the company’s internal network. In the malware samples analysed, the IP address and domain name are stored as strings. This means that the executable file cannot be easily changed (patched) after compilation because the length of these strings varies.

Clearly, checking that the domain name matches the IP address is a technique designed to prevent the malware from running outside the local network for which the sample was created.

It is most likely that the attackers used domain policies to spread the ransomware across the local network. In that case, they had access to the domain administrator’s account, compromised in the attack’s earlier stages.

It is known that, in addition to Honda, victims include power company Enel Group. According to Kaspersky ICS CERT data, attack targets also include a German company that supplies its products to auto makers and other industrial manufacturers and a German manufacturer of medical equipment and supplies. Apparently, other auto makers and manufacturing companies have also been attacked: similar Snake samples have been detected on computers in China, Japan and Europe. Kaspersky believes that the attack may have gone beyond the victims’ IT systems. Specifically, in one case, the malware was detected and blocked on the video surveillance server of an organization attacked in China.

All malware samples were proactively blocked by Kaspersky products using the heuristic signature Trojan-Ransom.Win32.Snake.a, which was created using the original Snake sample that appeared in December 2019.

It is worth highlighting that an important, and distinguishing feature of Snake is that it targets, among other things, industrial automation systems – specifically that it is designed to encrypt files used by General Electric ICS. This is evidenced by the fact that the malware attempts to terminate the processes of General Electric software before starting the file encryption process.

To identify traces of an attack and to prevent possible damage, Kaspersky ICS CERT recommends:

Indicators of compromise

MD5

File names

Folders in which malicious objects can be located