While ransomware continues to be a major threat to enterprise IT environments around the world, a new family of ransomware poses a unique danger to companies with industrial control systems.

Snake, also known as Ekans (“snake” spelled backward), follows the classic ransomware formula of encrypting most files on the target network and then charging a ransom to decrypt said files. But what makes Snake unique is that instead of targeting Windows and Linux IT systems like most enterprise-focused ransomware, Snake targets industrial control systems (ICS). Despite this, the threat actors behind Snake are using some of the same techniques as other ransomware groups — using exposed Remote Desktop Protocol (RDP) instances with weak passwords to gain entry into ICS environments and spread the ransomware.

Sophos senior threat researcher Sean Gallagher said Snake has broadened the ransomware threat landscape.

“Ekans adds the additional dimension of attacking industrial control systems, so it places not just back-office but actual manufacturing and production operations at risk as well. While this capability in Ekans is somewhat limited, it could still be harmful to companies that have integrated IT and OT [operational technology] networks. The best way to prevent this is to keep industrial controls on a dedicated network, partitioned from corporate systems and the internet, and to protect all systems based on commercial operating systems with backups and endpoint protection,” Gallagher said.

Jim Walter, security researcher at SentinelOne, said that while Snake ransomware is unique because it’s designed for ICS, the exploitation methods used by threat actors are similar to those used by other traditional ransomware groups.

“Multiple SNAKE/EKANS campaigns have used exposed and vulnerable RDP servers as the delivery/entry point. Understanding where your ingress points are and hardening them appropriately is one step in the right direction. Any outward exposed host or service should be running the absolute minimum necessary services to decrease the attack surface,” Walter said via email.

A number of threat actors and ransomware groups have been setting their sights on exploiting RDP weaknesses over the last year — particularly during the pandemic.

He also noted that Snake attacks are not “quick ‘in-and-out’ scenarios.” They can take weeks or months, and the process of exfiltrating data prior to a ransomware launch will take the most amount of time, especially since criminal outfits can harvest terabytes of data depending on the target. “But this is also good news for defenders,” Walter explained. “If you have full visibility into the exposed ingress points, you can see these types of activities unfolding over time.”

Beyond this, Walter said, good cybersecurity hygiene goes a long way. He recommends users be hyper critical when opening messages, following links, and opening attachments, as email and phish delivery is “still the #1 method for distributing malware.”

By Alexander Culafi