{
	"id": "49703588-0a7a-44c3-bc37-7d2b71a30780",
	"created_at": "2026-04-06T00:11:10.642886Z",
	"updated_at": "2026-04-10T13:11:53.765377Z",
	"deleted_at": null,
	"sha1_hash": "881c82d3308f350bc621cbcc2496c8a8e9b1136e",
	"title": "New Snake Ransomware Adds Itself to the Increasing Collection of Golang Crimeware - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1236482,
	"plain_text": "New Snake Ransomware Adds Itself to the Increasing Collection of\r\nGolang Crimeware - SentinelLabs\r\nBy Jim Walter\r\nPublished: 2020-01-23 · Archived: 2026-04-05 13:34:23 UTC\r\nWe are just about 1 month into 2020, and so far, there has been no break in the ongoing flurry of new or varied\r\nransomware campaigns. Amongst the well-established families (Ryuk, Maze, REvil) we now have another to add\r\nto the list…”Snake”.\r\nSentinelLabs has observed the Snake ransomware in targeted campaigns over the last month. While it contains all\r\nthe hallmarks of standard ransomware, there are a few traits that make it stand out as more aggressive and more\r\ncomplex.  \r\nSnake is written in Golang, which has been seen in many recent ransomware families. Golang is an open-source\r\nprogramming language, with a degree of cross-platform support. It is for these same reasons that some RaaS\r\n(Ransomware as a Service) offerings utilize the language as well. One such example would be Project Root.\r\nUpon infection, relevant files are overwritten with encrypted data. Each modified file is also ‘tagged’ at the end of\r\nthe file with the string “EKANS” (Snake backwards).  \r\nIn addition, the names of modified files are appended with random characters, rather than a singular or uniform\r\nextension change. This, in theory, makes it more difficult to identify the specific ransomware family simply by the\r\nfile extensions.\r\nhttps://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/\r\nPage 1 of 5\n\nThe actual encryption process is achieved via a mix of symmetric and asymmetric cryptography (across AES-256\r\nand RSA-2048). A symmetric key is required for encrypting and decrypting of files.  Said symmetric key is\r\nencrypted with the attacker’s public key. Decryption is only possible with possession of the attacker’s private key.\r\nThis mixture, along with the key lengths (AES-256, RSA-2048), aims to make 3rd party decryption difficult or\r\nimpossible.\r\nThe malware excludes critical system files and folders from encryption.  In parallel, it attempts to encrypt data on\r\nadjacent and available network resources. Current analysis indicates that any decryption purchased from the\r\nattacker covers the scope of the targeted network rather than individual files.\r\nAs with most modern ransomware, Snake attempts to remove Volume Shadow Copies that the OS uses for\r\nbackup. The ransomware also attempts to terminate various processes. It appears to be targeting those associated\r\nwith SCADA platforms, enterprise management tools, system utilities and the like. Some specifically targeted\r\napplications include VMware Tools, Microsoft System Center Operations Manager, Nimbus, Honeywell\r\nHMIWeb, FLEXnet, and more.  A full list of the terminated processes is as follows:\r\nhttps://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/\r\nPage 2 of 5\n\nIf the threat is executed with administrative privileges, the ransom note will be written to\r\nc:userspublicdesktopFix-Your-Files.txt . In the event that administrative privileges are not present, the\r\nransom note will be written to an alternative location: c:usersAppDataLocalVirtualStore\r\nhttps://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/\r\nPage 3 of 5\n\nThe ransom note provides fairly straightforward details on how the victim should proceed (according to the\r\nattacker). Rather than providing a web address to obtain a payment address and further details, victims are\r\ninstructed to initiate direct contact via email. Note the email address in the ransom note is “bapcocrypt @\r\nctemplar.com”. BAPCO (The Bahrain Petroleum Company) was the target of the recent ‘Dustman’ campaign.\r\nThere may very well be a relationship between the Snake and ‘Dustman’ attacks.\r\nConclusion\r\nSnake, like other targeted ransomware campaigns, has the potential to do serious and critical damage to an\r\ninfected environment. As always we should stay aware and vigilant, and aggressively defend environments against\r\nthis type of attack. Part of this strategy comes down to properly choosing, deploying, and maintaining a modern\r\nendpoint protection technology. It is also critical to have functional and well-tested backup procedures in place as\r\npart of your greater business continuity and disaster recovery planning.\r\nhttps://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/\r\nPage 4 of 5\n\nReferences\r\nThanks to @VK_Intel and sysopfb for their insights about this ransomware.\r\nIndicators of Compromise (IOCs):\r\nSHA-256: e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60\r\nMITRE ATT\u0026CK: T1486 Data Encrypted for Impact\r\nSource: https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/\r\nhttps://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/"
	],
	"report_names": [
		"new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434270,
	"ts_updated_at": 1775826713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/881c82d3308f350bc621cbcc2496c8a8e9b1136e.pdf",
		"text": "https://archive.orkl.eu/881c82d3308f350bc621cbcc2496c8a8e9b1136e.txt",
		"img": "https://archive.orkl.eu/881c82d3308f350bc621cbcc2496c8a8e9b1136e.jpg"
	}
}