{
	"id": "97b1e0fd-b57b-4988-bca7-25a0debba564",
	"created_at": "2026-04-06T00:07:41.701307Z",
	"updated_at": "2026-04-10T13:11:54.88589Z",
	"deleted_at": null,
	"sha1_hash": "eeb044cb8101b166132ba265577e9178940579aa",
	"title": "Targeted attacks on industrial companies using Snake ransomware (updated) | Kaspersky ICS CERT EN",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 141483,
	"plain_text": "Targeted attacks on industrial companies using Snake ransomware\r\n(updated) | Kaspersky ICS CERT EN\r\nBy Kaspersky ICS CERT Team\r\nPublished: 2020-06-17 · Archived: 2026-04-05 18:06:36 UTC\r\nAccording to Kaspersky ICS CERT data, a number of industrial companies are currently experiencing targeted\r\nattacks involving the Snake encryption ransomware.\r\nOn June 8, 2020 issues were reported which affected the computer networks of Honda, a Japanese motorcycle and\r\nauto manufacturer, in Europe and Japan. Specifically, it was announced that Honda Customer Service and Honda\r\nFinancial Services were experiencing technical difficulties. Information security experts believe that, in all\r\nlikelihood, one of the company’s servers was infected with Snake (EKANS) ransomware.\r\nA sample of the Snake malware discovered by some researchers on VirusTotal checked for Honda’s domain name,\r\n“mds.honda.com” (which is probably used on the company’s internal network). If the domain name cannot be\r\nresolved (i.e., if the corresponding IP address cannot be determined), the ransomware terminates without\r\nencrypting any files. According to the researchers, this could indicate that the attackers’ activity is targeted.\r\nKaspersky ICS CERT experts used their own telemetry data to identify other samples that were similar to the\r\nsample uploaded to VirusTotal. Based on the findings of our research:\r\n1. The malware was launched using a “nmon.bat” file detected by Kaspersky products in domain policy script\r\nfolders.\r\n2. The only difference between all of the Snake samples identified is the domain name and IP address\r\nembedded in the code.\r\n3. The IP address embedded in the malware code is compared with the IP address resolved from the domain\r\nname, if the malware was able to resolve it.\r\n4. The malware encrypts data only if the IP address embedded in the malware code matches the IP address\r\nresolved from the domain name that is also embedded in the malware code.\r\n5. The IP address and domain name combination embedded in the malware code is unique for each attack we\r\nhave identified and is apparently valid for the internal network of the organization targeted by that specific\r\nattack.\r\n6. In some cases, the domain names may have been obtained from public sources (DNS), while information\r\non IP addresses associated with these domain names is apparently stored on internal DNS servers and is\r\nonly available when sending DNS requests from the victim organizations’ internal networks.\r\n7. In addition to the domain name and IP address of the organization under attack, which are embedded into\r\nthe malware code, new Snake samples are different from those identified in December 2019 in that they\r\ninclude an extended list of file extensions (types) that the malware should encrypt. The new samples\r\ninclude extensions for virtual drive files, Microsoft Access, source code in С/C#/ASP/JSP/PHP/JS, as well\r\nhttps://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/\r\nPage 1 of 5\n\nas the corresponding files of projects/solutions and other extensions that were unsupported by earlier\r\nsamples.\r\nThe results of our research clearly indicate that the attackers carry out multistage hacker attacks, each attack\r\ntargeting a specific organization. Encrypting files using Snake is the final stage of these attacks.\r\nEach Snake sample was apparently compiled after the attackers had gained the knowledge of the relevant domain\r\nname and its associated IP address on the company’s internal network. In the malware samples analyzed, the IP\r\naddress and domain name are stored as strings. This means that the executable file cannot be easily changed\r\n(patched) after compilation because the length of these strings varies.\r\nClearly, checking that the domain name matches the IP address is a technique designed to prevent the malware\r\nfrom running outside the local network for which the sample was created.\r\nIt is most likely that the attackers used domain policies to spread the ransomware across the local network. In that\r\ncase, they had access to the domain administrator’s account, compromised in the attack’s earlier stages.\r\nIt is known that, in addition to Honda, victims include power company Enel Group. According to Kaspersky ICS\r\nCERT data, attack targets also include a German company that supplies its products to auto makers and other\r\nindustrial manufacturers and a German manufacturer of medical equipment and supplies. Apparently, other auto\r\nmakers and manufacturing companies have also been attacked: similar Snake samples have been detected on\r\ncomputers in China, Japan and Europe. We believe the attack may have gone beyond the victims’ IT systems.\r\nSpecifically, in one case, the malware was detected and blocked on the video surveillance server of an\r\norganization attacked in China.\r\nAll malware samples were proactively blocked by Kaspersky products using the heuristic signature Trojan-Ransom.Win32.Snake.a, which was created using the original Snake sample that appeared in December 2019.\r\nIt is worth reminding that an important distinguishing feature of Snake is that it targets, among other things,\r\nindustrial automation systems – specifically that it is designed to encrypt files used by General Electric ICS. This\r\nis evidenced by the fact that the malware attempts to terminate the processes of General Electric software before\r\nstarting the file encryption process.\r\nAttacks similar to those described above continue. If you have encountered an attack of this kind, you can report it\r\nvia a special form on our website.\r\nJuly 7, 2020 update\r\nOur hypothesis that the attackers used the attacked company’s domain controller to spread the ransomware across\r\nthe local network is supported by one more curious fact.\r\nThe malware checks the domain role of the computer on which it is running. If the computer has the domain\r\ncontroller role (DomainController), the function returns the value “1”.\r\nhttps://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/\r\nPage 2 of 5\n\nIf the function that checks the attacked computer’s domain role returns “1” (i.e., the computer has the role of a\r\nprimary or backup domain controller), the function that calls it returns “0”. This results in the malware terminating\r\nwithout performing any encryption. The calling function also checks whether the domain’s IP address matches the\r\nhard-coded IP address.\r\nhttps://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/\r\nPage 3 of 5\n\nThis means that if, as we believe, the attackers used the domain controller to spread the malware across the\r\nvictim’s local network, the domain controller exclusion logic described above would certainly work for them,\r\nsince they needed the domain controller to be operational and unencrypted.\r\nRecommendations\r\nTo identify traces of an attack and prevent possible damage, Kaspersky ICS CERT recommends:\r\nUsing the indicators of compromise provided to identify infections on Windows workstations and servers;\r\nChecking active domain policies and scripts for malicious code;\r\nChecking active tasks in the Windows Task Scheduler on workstations and servers for malicious code;\r\nChanging the passwords of all accounts in the domain administrator group.\r\nIndicators of compromise\r\nMD5\r\nED3C05BDE9F0EA0F1321355B03AC42D0\r\n7DDB09DB3FB9B01FA931C2A1A41E13E1\r\nC547141B8A690EEE313C0F6CE6B5CCA6\r\n47EBE9F8F5F73F07D456EC12BB49C75D\r\nD659325EA3491708820A2BEFFE9362B8\r\nC7C39967E16500C37638AB24F1BB3FF9\r\nF58A00D132205045F8AA4C765239301F\r\nD1277A10494B5D2D5B21B2488C650D3A\r\nhttps://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/\r\nPage 4 of 5\n\n1E296139AF94AFC2F6002969E8EA750E\r\nE52927F8E4A22B4D9FD463637A8696EE\r\n6DDD81BE14DFC8354AEB63220CFE112E\r\nDC68AE3CC7BDB1EC80C72FC9F0E93255\r\nFile names\r\nnmon.exe\r\nnmon.bat\r\nKB3020369.exe\r\nKB[7 random numbers].exe\r\nFolders in which malicious objects can be located\r\n%WinTemp%\r\nsysvol[domain name]scripts\r\nSource: https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/\r\nhttps://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/"
	],
	"report_names": [
		"targeted-attacks-on-industrial-companies-using-snake-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434061,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eeb044cb8101b166132ba265577e9178940579aa.pdf",
		"text": "https://archive.orkl.eu/eeb044cb8101b166132ba265577e9178940579aa.txt",
		"img": "https://archive.orkl.eu/eeb044cb8101b166132ba265577e9178940579aa.jpg"
	}
}