{ "id": "716f6dda-3f87-471a-a78c-c7169d57d6a8", "created_at": "2026-04-06T01:32:06.271108Z", "updated_at": "2026-04-10T13:11:56.200988Z", "deleted_at": null, "sha1_hash": "ca7184fab9347f7452c1cca29a1d9f7c9233a3f0", "title": "The Snake Attacks Holding the Industrial Sector Ransom", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 708836, "plain_text": "The Snake Attacks Holding the Industrial Sector Ransom\r\nBy Maxim Smoliansky\r\nPublished: 2020-06-29 · Archived: 2026-04-06 00:06:05 UTC\r\nFor years ransomware attacks are a significant threat to any organization, no matter its size, field of expertise,\r\nyearly revenue or geographical location. The year 2020 is no exception. Ransomware attacks became more\r\nsophisticated, crews operating them learned how to take better advantage of their presence in the victim’s network\r\nand new ransomware strains were brought into the world to run havoc and make their creators rich.\r\nOne such ransomware is Snake (aka Ekans). It became well known in January after its first sample was uploaded\r\nto VirusTotal. The initial sample, found by the MalwareHunterTeam crew, raised a lot of concern as the malware\r\nwas designed to kill computer processes related to Industrial Control Systems, implying that it was built with\r\nvictims from the industrial sector in mind. Unfortunately, this concern was justified as after a few months of\r\nrelative silence, Snake operators deployed the ransomware in a series of targeted and devastating attacks. The\r\ncrescendo was an attack on the Japanese car manufacturer Honda on June 8th, an attack that made Honda’s\r\noperations in Japan and Europe grind to a halt.\r\nFortunately, Deep Instinct prevents all versions of Snake ransomware. The ransomware is prevented pre-execution, using Deep Instinct’s deep learning-based static prevention engine, and during on-execution, using\r\nadvanced ransomware behavioral protection.\r\nMoreover, Deep Instinct’s unique deep learning approach ensured Snake ransomware was prevented with a\r\nversion of our prediction model (D-Brain) that was released over a year before the malware’s release.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nWatch the demo of how Deep Instinct prevents Snake Ransomware\r\nhttps://www.deepinstinct.com/2020/06/29/the-snake-attacks-holding-the-industrial-sector-ransom/\r\nPage 1 of 7\n\nLess is More\r\nSnake joins Maze, DopplePaymer, Ako, and others in the lucrative group of ransomware families that target\r\ncorporations. Instead of relying on sporadic means of distribution, in which the quantity of infections is more\r\nimportant than the “quality” of each infection, Snake chooses specific targets in the corporate world so that each\r\ninfection will yield much more revenue.\r\nThe goal of such ransomware is much more ambitious. Instead of encrypting one machine and demanding the\r\nransom for its contents, they strive to encrypt all the workstations connected to a network. The ransomware takes\r\nthe time to explore the environment’s topology and critical systems to exploit vulnerabilities, stolen credentials,\r\nand poor security hygiene to propagate through the network. The ransom for decrypting all the machines in a\r\ncorporate network can be millions of dollars, compared to “just” thousands of dollars from an infection of a single\r\nworkstation.\r\nSnake also belongs to a more niche part of the ransomware world. Together with Megacortex, Snake contains a\r\nlist of ICS related processes to stop before encryption. Killing these processes allows the ransomware to encrypt\r\nthe files these programs use and deny the target access to its production-related assets, thus inflicting much greater\r\ndamage and increasing the possibility of ransom payment.\r\nThe Subtle Serpent\r\nThese three alleged Snake ransomware attacks became public:\r\nAn attack on the largest private hospital in Europe, Fresenius, on May 6th.\r\nThe Italian energy company Enel, that operates in several parts of Europe, on June 7th.\r\nThe Japanese car manufacturer Honda on June 8th.\r\nAnd according to several sources, there are possibly more that were kept secret.\r\nAlthough it is currently unclear how it found its way into the networks of its victims, bad security practices as\r\nshown in the tweet below might give us a hint.\r\nhttps://www.deepinstinct.com/2020/06/29/the-snake-attacks-holding-the-industrial-sector-ransom/\r\nPage 2 of 7\n\nThis screenshot shows computers belonging to Honda and Enel with RDP services openly exposed and accessible\r\nfrom the Internet. An exposed RDP port might be easily exploited using a vulnerability or a brute-force attack.\r\nOther means might have been used by the threat actors, such as phishing attacks, malicious documents or previous\r\nmalware infections, potentially with several of them used together. It is also unknown what were the specific\r\nactions performed by the malicious actors before initiating the encryption process. But we do know, based on the\r\nimages published by the Snake crew, that in the case of Fresenius, the data was exfiltrated before being encrypted.\r\nhttps://www.deepinstinct.com/2020/06/29/the-snake-attacks-holding-the-industrial-sector-ransom/\r\nPage 3 of 7\n\nCredit: BleepingComputer.com\r\nSnake executables are 3-4MB, unsigned, 32-bit EXE files written in the Go programming language.\r\nThere are several Snake samples publicly available. We chose to focus on the sample that was allegedly used in\r\nthe attack on Honda (SHA256: d4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1) and\r\nwas initially uploaded with the name nmon.exe to VirusTotal which may indicate the name the attackers chose.\r\nUpon execution, the ransomware will make sure that it is being run only once by using a mutex named “EKANS”.\r\nThen, it will try to verify that it is running in the victim’s network by trying to resolve Honda’s internal domain\r\nname mds.honda.com using DNS and NetBIOS. In the case of Enel the domain name is enelint.global.\r\nhttps://www.deepinstinct.com/2020/06/29/the-snake-attacks-holding-the-industrial-sector-ransom/\r\nPage 4 of 7\n\nIf the resolution is unsuccessful the ransomware will exit without any encryption done. Editing the Windows hosts\r\nfile in order to provide Snake with a random IP address will not yield any results, which indicates that the malware\r\nis not only checking the availability of the domain but also expects it to have a specific IP address.\r\nLooking for the domain name in the strings the malware stores in the computer’s RAM we were able to see what\r\nseemed to be an IP address 170[.]108.71.153 or 170[.]108.71.15. We were then able to run the malware using the\r\nIP address 170[.]108.71.15 as the resolution for the domain.\r\nBefore initiating the encryption, Snake will utilize the Windows firewall in order to block any incoming and\r\noutgoing network connections on the victim’s machine that aren’t configured in the firewall. Windows built-in\r\nnetsh tool will be used for this purpose.\r\nDisconnected from the outside world, Snake will kill the hardcoded processes that may interfere with the\r\nencryption. This list contains processes related to the industrial world and several security and backup solutions.\r\nOnce all the preparations are completed, the ransomware can initiate the encryption process.\r\nExcluding several system-critical folders and files, all files with extensions included in Snake’s hardcoded list are\r\nincluded. The list includes document, virtualization, database, and archive extensions among others.\r\nEvery encrypted file will have a random five-character string appended to its extension and the word EKANS\r\nappended to the end of the file. For example, our encrypt_me.txt file was changed to encrypt_me.txtDwtwx and the\r\nword “EKANS” was added to the end of the encrypted content.\r\nhttps://www.deepinstinct.com/2020/06/29/the-snake-attacks-holding-the-industrial-sector-ransom/\r\nPage 5 of 7\n\nAfter all, files have been encrypted, netsh is called again in order to disable the firewall.\r\nAccording to several reports, once the encryption is finished a ransom note should be dropped to C drive and the\r\ndesktop. In our case, after running the malware several times with different configurations, it didn’t write the\r\nransom note to the disk.\r\nConclusion\r\nThe concept of ransomware is rather simple - you encrypt your victims’ files and wait for them to pay. Although\r\nthis concept hasn’t changed in recent years, ransomware attacks have become more and more sophisticated and\r\ntargeted, as we witness the gradual change in the priorities, tactics and scale of attacks.\r\nIf the attackers are changing their modus operandi, we should change the way we think about ransomware attacks.\r\nWe should think of the ransomware itself as part of a bigger attack. The attackers might have been present on the\r\nnetwork for a while, stealing confidential data that will later be sold to the highest bidder, they might even be there\r\nafter the ransomware attack is successful. Ransomware is not just an attack on data, but also an attack on\r\nconfidentiality, the privacy of customers, financial status and company reputation.\r\nhttps://www.deepinstinct.com/2020/06/29/the-snake-attacks-holding-the-industrial-sector-ransom/\r\nPage 6 of 7\n\nSnake ransomware possesses all the above in a single executable. It is also an example of ransomware operators’\r\nentrance into the industrial domain that was previously dominated by state-sponsored APT groups.\r\nWe should presume that the ever-growing greed of ransomware creators and operators will drive them to choose\r\nbigger and bigger targets with emphasis on critical infrastructures as their victims.\r\nIOCs\r\ne5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60\r\na5a7e6ddf99634a253a060adb1f0871a5a861624382e8ca6d086e54f03bed493\r\nb17863d41c0b915052fea85a354ec985280f4d38b46d64158a75b17ef89d76da\r\na8f0ff40d1e624dd2aad4d689ed47a900e4f719923647cacb58d1a4809c7bd31\r\nd4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1\r\n09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138\r\nedef8b955468236c6323e9019abb10c324c27b4f5667bc3f85f3a097b2e5159a\r\nSource: https://www.deepinstinct.com/2020/06/29/the-snake-attacks-holding-the-industrial-sector-ransom/\r\nhttps://www.deepinstinct.com/2020/06/29/the-snake-attacks-holding-the-industrial-sector-ransom/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.deepinstinct.com/2020/06/29/the-snake-attacks-holding-the-industrial-sector-ransom/" ], "report_names": [ "the-snake-attacks-holding-the-industrial-sector-ransom" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439126, "ts_updated_at": 1775826716, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ca7184fab9347f7452c1cca29a1d9f7c9233a3f0.pdf", "text": "https://archive.orkl.eu/ca7184fab9347f7452c1cca29a1d9f7c9233a3f0.txt", "img": "https://archive.orkl.eu/ca7184fab9347f7452c1cca29a1d9f7c9233a3f0.jpg" } }