Snake ransomware that targets specific companies is currently being distributed. Although there are no found cases in Korea as of yet, Korean companies must be on guard as it is targeting companies across nations such as Germany, Italy, Japan and etc.
Snake is ransomware developed with Go language. The number of malware developed with Go has been on the continual rise, and recently distributed malwares use obfuscation methods to disrupt analysis. Like the others, function names of Snake ransomware have strings randomly changed (see below).
Similar to normal ransomware, Snake ransomware found at the end of last year can perform encryption without condition. However, all the samples discovered since May this year check the environment to determine whether the running environment is a company network.
The sample that recently targeted Honda sends a query for mds.honda.com domain and determines whether to receive IP address. When the IP address is received, it checks the IP address to see if it is 170.108.71.15. This means that the recent Snake ransomware only operates in specific company environments, and do not operate in sandbox environments.
Samples found since May have different checking conditions depending on the target company.
- Company name: Fresenius
DNS query address: ads.fresenius.com
IP address: 10.2.10.4 - Company name: Enel
DNS query address: enelint.global
IP address: 10.16.173.233 - Company name: Honda
DNS query address: mds.honda.com
IP address: 170.108.71.15
There is a second condition afterward. As shown below, it checks DomainRole via WMI query, and it branches differently based on the result.
DomainRole can have the following values below and can check whether it is a Domain Controller server.
| PrimaryDomainController | 5 | Primary Domain Controller |
| BackupDomainController | 4 | Backup Domain Controller |
| MemberServer | 3 | Member Server |
| StandaloneServer | 2 | Standalone Server |
| MemberWorkstation | 1 | Member Workstation |
| StandaloneWorkstation | 0 | Standalone Workstation |
If the value is 3 or less, it performs ransomware behavior. Before performing file encryption, it first blocks inbound and outbound connections via firewall settings.
- > netsh advfireall set all > netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
- > netsh advfirewall set allprofiles state on
It then terminates various services and processes. Normal programs such as Adobe, MSSQl, and MSExchange are on the termination list as well as various security programs.
Next, it proceeds with deletion and encryption of volume shadow copy. However, a ransom note is not created even after the end of encryption process.
The ransom note is created only if the result of DomainRole conditional statement is3 or bigger, and it does not proceed with the encryption. This means that in Domain Controller server, it does not proceed with encryption and terminates after creating a ransom note named Decrypt-Your-Files.txt in directory ‘C:\Decrypt-Your-Files.txt’ and desktop.
[File Detection]
– Trojan/Win32.FileCoder.C3866073
– Trojan/Win32.SnakeRansom.C4118506
– Trojan/Win32.SnakeRansom.R335473
– Trojan/Win32.SnakeRansom.R339638
[Behavior Detection]
– Malware/MDP.SystemManipulation.M1566
– Malware/MDP.Ransom.M1171
Categories:Malware Information