Targeted attacks on industrial companies using Snake ransomware
June 2020 by Kaspersky
Kaspersky ICS CERT experts recently conducted research and found that a number of industrial companies are currently experiencing targeted attacks involving the Snake encryption ransomware.
Most recently, Japanese motorcycle and auto manufacturer Honda, had fallen victim to Snake which brought parts of its global operations to a standstill, compromising access to its IT systems.
According to Kaspersky ICS CERT data, a number of industrial companies are currently experiencing targeted attacks involving the Snake encryption ransomware.
On June 8, 2020 issues were reported which affected the computer networks of Honda, a Japanese motorcycle and auto manufacturer, in Europe and Japan. Specifically, it was announced that Honda Customer Service and Honda Financial Services were experiencing technical difficulties. Information security experts believe that, in all likelihood, one of the company’s servers was infected with Snake (EKANS) ransomware.
A sample of the Snake malware discovered by some researchers on VirusTotal checked for Honda’s domain name, “mds.honda.com” (which is probably used on the company’s internal network). If the domain name cannot be resolved (i.e., if the corresponding IP address cannot be determined), the ransomware terminates without encrypting any files. According to the researchers, this could indicate that the attackers’ activity is targeted.
Kaspersky ICS CERT experts used their own telemetry data to identify other samples that were similar to the sample uploaded to VirusTotal. Based on the findings of our research:
1. The malware was launched using a “nmon.bat” file detected by Kaspersky products in domain policy script folders.
2. The only difference between all of the Snake samples identified is the domain name and IP address embedded in the code.
3. The IP address embedded in the malware code is compared with the IP address resolved from the domain name, if the malware was able to resolve it.
4. The malware encrypts data only if the IP address embedded in the malware code matches the IP address resolved from the domain name that is also embedded in the malware code.
5. The IP address and domain name combination embedded in the malware code is unique for each attack we have identified and is apparently valid for the internal network of the organisation targeted by that specific attack.
6. In some cases, the domain names may have been obtained from public sources (DNS), while information on IP addresses associated with these domain names is apparently stored on internal DNS servers and is only available when sending DNS requests from the victim organisations’ internal networks.
7. In addition to the domain name and IP address of the organisation under attack, which are embedded into the malware code, new Snake samples are different from those identified in December 2019 in that they include an extended list of file extensions (types) that the malware should encrypt. The new samples include extensions for virtual drive files, Microsoft Access, source code in ?/C#/ASP/JSP/PHP/JS, as well as the corresponding files of projects/solutions and other extensions that were unsupported by earlier samples.
The results of the research clearly indicates that the attackers carry out multistage hacker attacks, each attack targeting a specific organisation. Encrypting files using Snake is the final stage of these attacks.
Each Snake sample was apparently compiled after the attackers had gained the knowledge of the relevant domain name and its associated IP address on the company’s internal network. In the malware samples analysed, the IP address and domain name are stored as strings. This means that the executable file cannot be easily changed (patched) after compilation because the length of these strings varies.
Clearly, checking that the domain name matches the IP address is a technique designed to prevent the malware from running outside the local network for which the sample was created.
It is most likely that the attackers used domain policies to spread the ransomware across the local network. In that case, they had access to the domain administrator’s account, compromised in the attack’s earlier stages. It is known that, in addition to Honda, victims include power company Enel Group. According to Kaspersky ICS CERT data, attack targets also include a German company that supplies its products to auto makers and other industrial manufacturers and a German manufacturer of medical equipment and supplies. Apparently, other auto makers and manufacturing companies have also been attacked: similar Snake samples have been detected on computers in China, Japan and Europe. We believe the attack may have gone beyond the victims’ IT systems. Specifically, in one case, the malware was detected and blocked on the video surveillance server of an organisation attacked in China.
All malware samples were proactively blocked by Kaspersky products using the heuristic signature Trojan-Ransom.Win32.Snake.a, which was created using the original Snake sample that appeared in December 2019.
It is worth highlighting that an important, and distinguishing feature of Snake is that it targets, among other things, industrial automation systems – specifically that it is designed to encrypt files used by General Electric ICS. This is evidenced by the fact that the malware attempts to terminate the processes of General Electric software before starting the file encryption process.
To identify traces of an attack and to prevent possible damage, Kaspersky ICS CERT recommends:
• Using the indicators of compromise provided to identify infections on Windows workstations and servers;
• Checking active domain policies and scripts for malicious code;
• Checking active tasks in the Windows Task Scheduler on workstations and servers for malicious code;
• Changing the passwords of all accounts in the domain administrator group. Indicators of compromise
• KB[7 random numbers].exe
Folders in which malicious objects can be located
• \sysvol\[domain name]\scripts\