A new enterprise targeting ransomware named ‘SNAKE’ was recently discovered. Similar to the other variants of ransomware, it will stop numerous processes or services such as antivirus software and perform the deletion of volume shadow copies to ensure all the data cannot be restored easily. After it performs file encryption, it will drop a ransom note named “Fix-Your-Files.txt” and append five randomly generated characters behind the original file extension of the encrypted file.

Figure 1: Screenshot of the ransom note

Figure 2: Screenshot of the list of encrypted files by SNAKE and dropped ransom note.

Other than that, it will also append a hexadecimal file marker “EKANS” which is the reverse order of “SNAKE” at the end of the encrypted file.

Figure 3: File marker “EKANS” at the end of the encrypted file.

This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against SNAKE Ransomware.

Behavioral Summary

SNAKE Ransomware is blocked and detected by existing policies within Carbon Black products. To learn more about further ransomware behavior, detection and protection capabilities within the Carbon Black suite of products against SNAKE ransomware, you may refer to the following blog post: TAU-TIN – Ransomware Threats

In addition, CB Defense will display the malware’s overall triggered TTPs.

Remediation:

MITRE ATT&CK TIDs

Indicators of Compromise (IOCs)