Snake: Industrial-focused Ransomware with Ties to Iran

A Targeted Attack on Industrial Processes

Like most ransomware, Snake encrypts programs and documents on infected machines. Then, to prevent recovering the encrypted files from archives, Snake removes all file copies from infected stations, leaving the victims no choice but to pay the ransom or lose the data. Lastly – and most important, Snake searches for hundreds of specific programs, including various Industrial Control Systems oriented processes, in order to terminate them and allow it to encrypt their files.

Snake uses a termination list that is almost identical to that of the MegaCortex ransomware, first discovered in mid-2019. However, Snake focuses on hundreds of specific processes, many of which target ICSs. More specifically, a majority of the targeted ICS processes belong to General Electric. The meaning of this is that any potential target of the attack may employ GE software in its network. OTORIO researches found one very likely candidate: Bahrain’s leading national petroleum company, BAPCO. This was corroborated by the email listed in Snake’s ransom message: [email protected].

Blinding the Operational Team

The potential damage of a Snake attack is significant” says Dor Yardeni - Head of Incident Response and Threat Hunting at OTORIO. “Deleting or locking targeted ICS processes would prohibit manufacturing teams from accessing vital production-related processes including analytics, configuration, and control. This is the equivalent of both blindfolding a driver and then taking away the steering wheel. For example, after leveraging issues in the host operation systems, EKANS could stop critical running processes and disable several different applications such as the GE Digital Proficy server.

Iran – The Immediate Suspect

This is not the first time that BAPCO falls prey to a targeted cyberattack. Recently it was reported that Iranian state-sponsored hackers have deployed a data-wiping malware dubbed Dustman on BAPCO’s network. It’s no coincidence that these two attacks come in short proximity to one another. Iran has targeted its neighbors’ industrial infrastructure more than once. Furthermore, Iran’s hackers are known to learn from the capabilities and actions of others and to copy and utilize them to their advantage. Using an already “proven” malware (i.e. MegaCortex) and honing it (to target ICSs) is a hallmark of the operation methods of Iranian hackers (see our most recent blog: “Why We Need to Prepare for an Iranian Attack on ICS”). This makes Iran not only the immediate suspect – but a highly likely one as well.

Technical details and findings:

As reported by MalwareHunterTeam and Vitali Kremez of SentinelLabs on January 8th 2020, Snake is a ransomware that is written in Golang and contains a certain level of obfuscation.
Snake removes Shadow Volume Copies and encrypts the computer’s files while skipping OS-related files.

Snake contains an encrypted list of approximately 1K processes for termination. After running the sample and reverse engineering its code, we decrypted the full list that was most likely copied from MegaCortex ransomware.

Image 1: Part of one of the decryption functions of Snake.

Snake's targeted processes include specific ICS processes that belong to GE solutions. These include the following:

_{ccflic0.exe
ccflic4.exe
ilicensesvc.exe
prlicensemgr.exe
prproficymgr.exe
prrds.exe
prrouter.exe
prconfigmgr.exe
prgateway.exe
pralarmmgr.exe
prftpengine.exe
preventmgr.exe
prreader.exe
prwriter.exe
prsummarymgr.exe
prstubber.exe
proficyserver.exe
proficypublisherservice.exe
proficy administrator.exe
proficyclient.exe}

Attribution conclusion:

The following reasons lead us to suspect that BAPCO was the main target of Snake:

• The payment mail contains “BAPCO”
• “BAPCO” uses of GE equipment
• Most of the ICS processes targeted by Snake belong to GE

An example of GE equipment that BAPCO had purchased:

_ogj.com

IOCs

hash:
e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60

Mutex:
Global\EKANS

Mail address:
[email protected] (cleartext in the file)

Yara:
rule snake_related
{

strings:
$a = "c:/users/WIN1/go" ascii wide
$b = "crypt.go" ascii wide
$c = "pStop.go" ascii wide
$d = "delVSS.go" ascii wide
$e = "bapcocrypt" ascii wide

condition:
($a) or ($e) or ($b and $c and $d)
}

Last update: Jan. 30, 2020