Digging Deeper into Snake Ransomware and ICS Impact
By Rotem Mesika and Roi Shaubi | Feb 4, 2020
Despite widespread reporting that Snake, or EKANS, ransomware—which was discovered last month and allegedly created by Iran—aims to disrupt industrial processes by directly targeting industrial control system (ICS) equipment, Claroty researchers have determined this is not the case.
Unlike ICS-specific malware such as Triton and Industroyer, Snake does not communicate with ICS equipment and is unable to change the logic or tag values of such equipment because it does not utilize the industrial communication protocols required to do so.
The heavy presence of ICS processes in the Snake kill list, however, indicates that the ransomware’s intended victims are indeed ICS processes. The key difference is that rather than seeking to disrupt such processes by targeting ICS equipment directly, Snake casts a much wider net by targeting enterprises’ entire corporate IT networks—many of which are connected to ICS networks and thus processes. As a result, any damage to ICS processes that does occur is likely to be a byproduct of the ransomware’s encryption of HMI configuration and/or other types of IT files critical to ICS processes.
Also noteworthy is that according to Claroty researchers, the ICS process kill list configured in Snake is fully contained in the process kill list included in the MegaCortex ransomware, which was first identified in 2017. But despite the contents of its kill list, Megacortex has historically been known only to target enterprise IT networks—not ICS networks.
There are multiple open questions about the relationship between Megacortex and the analyzed samples of Snake. While both malwares are classic ransomware malwares that share similar behaviors and resources, such as the aforementioned kill list, they are fundamentally different in terms of how they were developed. More specifically, Megacortex is written in c++ while Snake is written in Go, or Golang.
The shared behavior and resources could indicate that Snake and Megacortex were developed by the same group, however this has not been proven and requires further investigation at this time. Another possibility is that parts of the code were taken from malware development resources commonly available on public domains or within private groups. Some attackers have also been known to redevelop their tools in different programming languages while keeping the general logic the same in order to avoid detection by security tools.
Furthermore, a possible explanation as to why certain ICS processes are included in the kill list for Megacortex is that it was an opportunistic decision made by the group behind the malware. It is probable that the group had recently encountered ICS-related servers in action while developing Megacortex and thus opted to include related processes in the kill list in order to target crucial assets such as ICS-related software. This claim is supported by the fact that Megacortex kills licensing-related processes, such as “FLEXNet Licensing Service,” that will cause DOS and will not encrypt any process-related files such as Proficy HMI configuration and Historian data.
Moreover, it is crucial to recognize that Snake ransomware is among the latest reminders of the security risks posed by the convergence of IT and ICS or operational technology (OT) networks. While Snake lacks the ability to communicate with ICS equipment using OT protocols, the architecture of many IT and ICS/OT networks within industrial enterprises and critical infrastructure still makes it possible for the ransomware to impact the availability, safety, and reliability of ICS processes.
Proactive Mitigation Recommendations
Claroty researchers recommend taking the following steps to proactively reduce your organization’s risk of exposure to Snake, as well as other types of ransomware and destructive malware:
Network Segmentation: Network segmentation is a crucial element of protecting an ICS network. Claroty suggests limiting communication between different segments of the network depending on criticality and usability. This approach helps minimize the extent that malware and attackers can spread within your ICS network.
Data Protection: Frequent data backups are essential and should always be stored offline in a secure location. It can also be beneficial to keep multiple backups of particularly sensitive data in different locations, as well as to test backups by simulating different attack scenarios.
Software and Firmware Updates: Since ransomware is often distributed via exploit kits, ensuring all operating systems, software versions, plugins, and browsers on the network are routinely patched and updated is imperative.
User-Role Policies: Practitioners are strongly encouraged to restrict user permissions by defining user roles, blocking all but trusted and necessary users from installing and running software applications, permitting a ”least privilege” policy to all systems and services, and implementing User Access Control (UAC) to prevent unauthorized changes to user privileges. Such policies can help limit malware from executing and/or spreading within a network.
Network Management: It is important to ensure that firewalls are properly configured and updated, unused ports are monitored and closed, and unused protocols are blocked.
Ransomware Response Best Practices
Claroty researchers recommend adhering to the following best practices in the event of a ransomware attack on an ICS network:
Identify, isolate, and remove the infected assets: Immediately disconnecting them from the network can help prevent the ransomware from spreading to shared drives and connected systems.
Determine the infection vector: Ensuring a clean restoration of backups requires knowing which backups from what time period need to be restored—and this typically depends on when the ransomware attacker penetrated the network. Attackers have been known to penetrate networks to establish an attack surface as wide as possible days or even weeks before the ransomware is executed and the encryption stage starts.
Notify employees: Ensure employees are aware that a ransomware attack has occurred and is in progress. Next, direct them to the organization’s incident response plan and processes needed to protect the data.
Identify a safe point in time: Determine the point in time when the ransomware infected your ICS network. Restore the most recent clean files from a backup just prior to the infection date.
Restore infected systems: If a production database or industrial application has been infected, leverage backup solutions to spin up an image or virtual machine in minutes while taking precautions to minimize the impact on business processes.