Last news about Snake Malware and some other insights: Understanding and Defending Against ICS-Targeting Ransomware

CISA just released a very interesting and detailed report about Snake malware, I recommend the reading.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a

The short story, the Snake malware, also known as EKANS or Turla, represents a form of ransomware that specifically targets industrial control systems (ICS) and enterprise networks.

Its primary goal is to encrypt files and demand a ransom payment in return for the decryption key. What sets Snake malware apart from traditional ransomware is its focus on ICS and SCADA systems, potentially leading to significant disruptions in critical infrastructure.

Key points of attack are:

  • Focusing on ICS and SCADA system-related files and processes.
  • Utilizing a “kill list” to terminate processes linked to security tools, backup systems, and ICS components before encryption.
  • Encrypting files with strong algorithms makes them inaccessible.
  • Employing stealthy operations to avoid detection by security tools.
  • Customizing the payload to better target specific victims or industry sectors.
  • Demanding a ransom payment for the decryption key, with the amount varying based on the attacker’s objectives and the data’s perceived value.

Snake malware has been observed targeting organizations across various industries and countries. While specific instances may not be disclosed due to confidentiality and ongoing investigations, Snake malware has been reported to target companies primarily in Europe and North America, affecting industrial control systems, critical infrastructure, and enterprise networks.

There are also interesting voices from NCSC related to a possible link to cyber-espionage campaigns believed to be associated with Russian state-sponsored threat actors.

More details are below:

https://www.ncsc.gov.uk/news/uk-and-allies-expose-snake-malware-threat-from-russian-cyber-actors

Related blog posts