Snake Ransomware Designed to Operate Only in Specific Business Environments

Snake ransomware that targets specific companies is currently being distributed. Although there are no found cases in Korea as of yet, Korean companies must be on guard as it is targeting companies across nations such as Germany, Italy, Japan and etc.

Snake is ransomware developed with Go language. The number of malware developed with Go has been on the continual rise, and recently distributed malwares use obfuscation methods to disrupt analysis. Like the others, function names of Snake ransomware have strings randomly changed (see below).

Obfuscated function name

Similar to normal ransomware, Snake ransomware found at the end of last year can perform encryption without condition. However, all the samples discovered since May this year check the environment to determine whether the running environment is a company network.

The sample that recently targeted Honda sends a query for mds.honda.com domain and determines whether to receive IP address. When the IP address is received, it checks the IP address to see if it is 170.108.71.15. This means that the recent Snake ransomware only operates in specific company environments, and do not operate in sandbox environments.

Routine that checks Domain / IP address

Samples found since May have different checking conditions depending on the target company.

  • Company name: Fresenius
    DNS query address: ads.fresenius.com
    IP address: 10.2.10.4
  • Company name: Enel
    DNS query address: enelint.global
    IP address: 10.16.173.233
  • Company name: Honda
    DNS query address: mds.honda.com
    IP address: 170.108.71.15

There is a second condition afterward. As shown below, it checks DomainRole via WMI query, and it branches differently based on the result.

Check DomainRole

DomainRole can have the following values below and can check whether it is a Domain Controller server.

PrimaryDomainController5Primary Domain Controller
BackupDomainController4Backup Domain Controller
MemberServer3Member Server
StandaloneServer2Standalone Server
MemberWorkstation1Member Workstation
StandaloneWorkstation0Standalone Workstation

If the value is 3 or less, it performs ransomware behavior. Before performing file encryption, it first blocks inbound and outbound connections via firewall settings.

  • > netsh advfireall set all > netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
  • > netsh advfirewall set allprofiles state on

It then terminates various services and processes. Normal programs such as Adobe, MSSQl, and MSExchange are on the termination list as well as various security programs.

List of services to terminate

Next, it proceeds with deletion and encryption of volume shadow copy. However, a ransom note is not created even after the end of encryption process.

The ransom note is created only if the result of DomainRole conditional statement is3 or bigger, and it does not proceed with the encryption. This means that in Domain Controller server, it does not proceed with encryption and terminates after creating a ransom note named Decrypt-Your-Files.txt in directory ‘C:\Decrypt-Your-Files.txt’ and desktop.

[File Detection]

– Trojan/Win32.FileCoder.C3866073
– Trojan/Win32.SnakeRansom.C4118506
– Trojan/Win32.SnakeRansom.R335473
– Trojan/Win32.SnakeRansom.R339638

[Behavior Detection]

– Malware/MDP.SystemManipulation.M1566

– Malware/MDP.Ransom.M1171

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments