Original Post from CERT
Author: Kyle O’Meara
In January 2020, Sentinel Labs published two reports on Snake (also known as Ekans) ransomware. The Snake ransomware gained attention due to its ability to terminate specific industrial control system (ICS) processes. After reading the reports, I wanted to expand the corpus of knowledge and provide OT and IT network defenders with increased defense capabilities against Snake. The key takeaways from the Sentinel Labs’ reports for additional analysis were the hash of the ransomware and the string decoder script from sysopfb. Two questions I pursued were:
- Can I find more samples of the Snake ransomware?
- If yes, do these samples use the same string decoding process?
Discovering More Samples
By analyzing the code and applying a combination of using IDA, Pharos tools fn2hash and fn2yara, BigGrep, and the CERT/CC Malware Analysis and Storage System (MASS) repository, I was able to find one sample with a 100% function overlap with that of the known Snake ransomware sample. The hashes of these samples are shown in Table 1 in the Appendix. In reviewing my BigGrep search parameter, I realized I had potentially limited my search results. I expanded my search parameter and found two more candidate samples which are shown in Table 2 in the Appendix.
Decoding the Strings
The string decoder, further referred to as the config dumper, decoded the same strings from the new Snake ransomware sample that were also found in the original Snake ransomware sample. See the sysopfb link in the references section for complete decoded string list. Unfortunately, the config dumper did not return any results for the two new candidate samples.
Again, using IDA and Pharos tools fn2hash and fn2yara, I wanted to see how much code overlap there was with these four files from Table 1 and Table 2 in the Appendix. The two new candidate samples shared a 100% function overlap. When comparing these two files to the Snake ransomware samples, there was only a 50% function overlap. With a significant function overlap between all of the four files, why didn’t the config dumper work on the two new candidate samples?
Looking at the code further, I identified a 1-byte difference in the string decoding function in the new candidate samples versus the known Snake ransomware samples. I edited the config dumper and ran it on the new candidate samples. The modified config dumper was successful in decoding strings from the new candidate samples as shown in Table 3 in the Appendix.
The newly returned strings from the new candidate samples were different than those that were found in the known Snake ransomware samples. However, using the new config dumper, I successfully decoded new strings from the known Snake ransomware samples. These strings all appear to be host intrusion prevention system (HIPS) process and service names, as shown in Table 4 in the Appendix.
Summary of Findings
Through my additional analysis process, I discovered another Snake ransomware sample as well as new candidate samples. However, dynamic analysis demonstrated that these new candidate samples did not act like ransomware. Upon execution, the new candidates tried to establish a connection to IP address 18.222.249[.]59 on port 7777. Without allowing the candidate sample to establish a connection, I saw no further action from the candidate samples. The assumption is that the Snake ransomware and the new candidate samples are potentially created by a similar actor, given the large code overlap as well as the nearly identical string decoding routine.
I created a YARA rule to identify samples that contain a similar string decoding function, as shown in Table 5 in the Appendix.
I also developed an updated config dumper which decodes the new set of strings. This config dumper is available upon request.
In another report, Dragos highlights that the Snake ransomware terminate process list is similar to the list found in the MegaCoretx ransomware. My analysis uncovered an additional 252 decoded strings related to HIPS processes that the Snake ransomware attempts to terminate. These 252 processes are found in the 1104 processes list in the Accenture Security MegaCortex ransomware report. However, after completing similar analyses, as mentioned above, as well as testing known YARA rules, I found that the Snake and MegaCortex ransomwares shared no code overlap. I believe it is a matter of coincidence that there is an overlap in this process list. The possible reasons for this coincidence could include that the Snake ransomware took information from the Accenture report on MegaCortex or used the published curated open source HIPS process list.
I have provided more samples, a YARA rule, new config dumper, and new decoded data (see the tables in the Appendix). This information, in addition to previous industry analyses, will allow for network defenders in the OT and IT space to increase their defense capabilities against the Snake ransomware.
Table 1: Snake Ransomware Hashes
Table 2: New Candidate Hashes
Table 3: Decoded Strings from New Candidate Samples
Table 4: New Decoded Strings from Snake Ransomware Samples
Table 5: Snake Ransomware YARA Rule
Go to Source
Author: Kyle O’Meara