{
	"id": "4666120c-2f35-4261-937a-743a6491cb11",
	"created_at": "2026-04-06T00:07:30.513279Z",
	"updated_at": "2026-04-10T03:20:43.288397Z",
	"deleted_at": null,
	"sha1_hash": "98f7d7bfe72f75b23978831b3a8efd8206b2c97d",
	"title": "SNAKE Ransomware Is the Next Threat Targeting Business Networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2841030,
	"plain_text": "SNAKE Ransomware Is the Next Threat Targeting Business Networks\r\nBy Lawrence Abrams\r\nPublished: 2020-01-08 · Archived: 2026-04-05 21:33:22 UTC\r\nSince network administrators didn't already have enough on their plate, they now have to worry about a new\r\nransomware called SNAKE that is targeting their networks and aiming to encrypt all of the devices connected to it.\r\nEnterprise targeting, or big-game hunting, ransomware are used by threat actors that infiltrate a business network, gather\r\nadministrator credentials, and then use post-exploitation tools to encrypt the files on all of the computers on the network.\r\nThe list of enterprise targeting ransomware is slowly growing and include Ryuk, BitPaymer, DoppelPaymer, Sodinokibi,\r\nMaze, MegaCortex, LockerGoga, and now the Snake Ransomware.\r\nhttps://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nWhat we know about the Snake Ransomware\r\nSnake Ransomware was discovered by MalwareHunterTeam last week who shared it with Vitali Kremez to reverse engineer\r\nand learn more about the infection.\r\nBased on the analysis performed by Kremez, this ransomware is written in Golang and contains a much higher level of\r\nobfuscation than is commonly seen with these types of infections.\r\n\"The ransomware contains a level of routine obfuscation not previously and typically seen coupled with the targeted\r\napproach,\" Kremez, Head of SentinelLabs, told BleepingComputer in a conversation.\r\nWhen started Snake will remove the computer's Shadow Volume Copies and then kill numerous processes related to\r\nSCADA systems, virtual machines, industrial control systems, remote management tools, network management software,\r\nand more.\r\nIt then proceeds to encrypt the files on the device, while skipping any that are located in Windows system folders and\r\nvarious system files. The list of system folders that are skipped can be found below:\r\nwindir\r\nSystemDrive\r\n:\\$Recycle.Bin\r\n:\\ProgramData\r\n:\\Users\\All Users\r\n:\\Program Files\r\n:\\Local Settings\r\n:\\Boot\r\n:\\System Volume Information\r\n:\\Recovery\r\n\\AppData\\\r\nWhen encrypting a file it will append a ransom 5 character string to the files extension. For example, a file named 1.doc will\r\nbe encrypted and renamed like 1.docqkWbv.\r\nFolder of Encrypted Files\r\nhttps://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/\r\nPage 3 of 7\n\nIn each file that is encrypted, the SNAKE Ransomware will append the 'EKANS' file marker shown below. EKANS is\r\nSNAKE in reverse.\r\nEKANS File Marker\r\nBleepingComputer has tested many ransomware infections since 2013 and for some reason, it took Snake particularly long\r\ntime to encrypt our small test box compared to many other ransomware infections. As this is targeted ransomware that is\r\nexecuted at the time of the attacker's choosing, this may not be that much of a problem as the encryption will most likely\r\noccur after hours.\r\nWhen done encrypting the computer, the ransomware will create a ransom note in the C:\\Users\\Public\\Desktop folder named\r\nFix-Your-Files.txt. This ransom note contains instructions to contact a listed email address for payment instructions. This\r\nemail address is currently bapcocrypt@ctemplar.com.\r\nhttps://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/\r\nPage 4 of 7\n\nSNAKE Ransom Note\r\nAs you can see from the language in the ransom note, this ransomware specifically targets the entire network rather than\r\nindividual workstations. They further indicate that any decryptor that is purchased will be for the network and not individual\r\nmachines, but it is too soon to tell if they would make an exception.\r\nThis ransomware is still being analyzed for weaknesses and it is not known if it can be decrypted for free. At this time,\r\nthough, it looks secure.\r\nIOCs:\r\nHash:\r\ne5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60\r\nRansom note text:\r\n--------------------------------------------\r\n| What happened to your files?\r\n--------------------------------------------\r\nWe breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databa\r\nall were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files righ\r\nYou can still get those files back and be up and running again in no time.\r\n---------------------------------------------\r\n| How to contact us to get your files back?\r\nhttps://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/\r\nPage 5 of 7\n\n---------------------------------------------\r\nThe only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically fo\r\nOnce run on an effected computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, pr\r\nbetter cyber security in mind. If you are interested in purchasing the decryption tool contact us at bapcocrypt@ctemplar.c\r\n-------------------------------------------------------\r\n| How can you be certain we have the decryption tool?\r\n-------------------------------------------------------\r\nIn your mail to us attach up to 3 files (up to 3MB, no databases or spreadsheets).\r\nWe will send them back to you decrypted.\r\nAssociated file names:\r\nFix-Your-Files.txt\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/\r\nPage 6 of 7\n\nSource: https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/\r\nhttps://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/\r\nPage 7 of 7\n\n https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/    \nSNAKE Ransomware Is the Next Threat Targeting Business Networks\nBy Lawrence Abrams    \nPublished: 2020-01-08 · Archived: 2026-04-05 21:33:22 UTC   \nSince network administrators didn't already have enough on their plate, they now have to worry about a new\nransomware called SNAKE that is targeting their networks and aiming to encrypt all of the devices connected to it.\nEnterprise targeting, or big-game hunting, ransomware are used by threat actors that infiltrate a business network, gather\nadministrator credentials, and then use post-exploitation tools to encrypt the files on all of the computers on the network.\nThe list of enterprise targeting ransomware is slowly growing and include Ryuk, BitPaymer, DoppelPaymer, Sodinokibi,\nMaze, MegaCortex, LockerGoga, and now the Snake Ransomware.  \n   Page 1 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/"
	],
	"report_names": [
		"snake-ransomware-is-the-next-threat-targeting-business-networks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434050,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98f7d7bfe72f75b23978831b3a8efd8206b2c97d.pdf",
		"text": "https://archive.orkl.eu/98f7d7bfe72f75b23978831b3a8efd8206b2c97d.txt",
		"img": "https://archive.orkl.eu/98f7d7bfe72f75b23978831b3a8efd8206b2c97d.jpg"
	}
}