Also known as: Ekans, Snakehouse
Category: Malware
Type: Ransomware
Platform: Industrial control systems (ICS)
Damage potential: Data encryption, ransom demands, operational disruption, damage to reputation, compliance and legal issues
Overview
Snake ransomware, or Ekans, is malicious software exclusively targeting industrial control systems (ICS) with SCADA (Supervisory Control and Data Acquisition) protocol. These systems manage and automate processes in many sectors, such as manufacturing and infrastructure.
While unique in its target, Snake is like any other ransomware once on a system — it encrypts files and asks for a ransom.
Possible symptoms
The most obvious signs of Snake ransomware are encrypted files and a ransom note titled “Fix-Your-Files.txt”. You may also notice changes in file extensions, failed login attempts, or performance related issues, such as:
- An unusual spike in network traffic or disk activity
- Unexpected increase in database activity, like mass file changes
- Slower computer performance
Sources of infection
Snake ransomware typically infects systems through vulnerabilities in Remote Desktop Protocol (RPD) ports or outdated software. In other cases, phishing attacks or other trojans can introduce Snake ransomware into networks.
Protection
Snake ransomware specifically chooses industrial control systems and corporate networks, so these protection methods are mainly for businesses rather than individuals.
- Close all unnecessary Remote Desktop Protocol (RDP) ports. Make sure you have password protection for the ones you keep open.
- Use complex passwords and multi-factor authentication.
- Back up manufacturing command files.
- Divide your network into segments. This way, you can limit the damage in case of an infection.
- Monitor networks for suspicious activity, such as increased bandwidth or unauthorized access attempts.
- Install a reputable antivirus software and regularly update it.
- Implement strict user access control. Only allow users to access the data they need for their work.
- Have regular security audits to identify vulnerabilities on your network.
- Educate employees on good cybersecurity practices.
- Prepare a detailed incident-response plan.
Removal
If you suspect that your system is infected, you need to act quickly:
- Isolate the infected device by disconnecting from the internet and your network.
- Use reliable antivirus software to detect and remove the ransomware.
- Restore files from a clean backup.
- Update all passwords and check security settings.
Keep in mind that antivirus software is more effective in preventing malware than removing it. If the infection persists or you can’t restore your files, you should get professional help.