Skip to main content

Home Snake ransomware

Snake ransomware

Also known as: Ekans, Snakehouse

Category: Malware

Type: Ransomware

Platform: Industrial control systems (ICS)

Damage potential: Data encryption, ransom demands, operational disruption, damage to reputation, compliance and legal issues


Snake ransomware, or Ekans, is malicious software exclusively targeting industrial control systems (ICS) with SCADA (Supervisory Control and Data Acquisition) protocol. These systems manage and automate processes in many sectors, such as manufacturing and infrastructure.

While unique in its target, Snake is like any other ransomware once on a system — it encrypts files and asks for a ransom.

Possible symptoms

The most obvious signs of Snake ransomware are encrypted files and a ransom note titled “Fix-Your-Files.txt”. You may also notice changes in file extensions, failed login attempts, or performance related issues, such as:

  • An unusual spike in network traffic or disk activity
  • Unexpected increase in database activity, like mass file changes
  • Slower computer performance

Sources of infection

Snake ransomware typically infects systems through vulnerabilities in Remote Desktop Protocol (RPD) ports or outdated software. In other cases, phishing attacks or other trojans can introduce Snake ransomware into networks.


Snake ransomware specifically chooses industrial control systems and corporate networks, so these protection methods are mainly for businesses rather than individuals.

  • Close all unnecessary Remote Desktop Protocol (RDP) ports. Make sure you have password protection for the ones you keep open.
  • Use complex passwords and multi-factor authentication.
  • Back up manufacturing command files.
  • Divide your network into segments. This way, you can limit the damage in case of an infection.
  • Monitor networks for suspicious activity, such as increased bandwidth or unauthorized access attempts.
  • Install a reputable antivirus software and regularly update it.
  • Implement strict user access control. Only allow users to access the data they need for their work.
  • Have regular security audits to identify vulnerabilities on your network.
  • Educate employees on good cybersecurity practices.
  • Prepare a detailed incident-response plan.


If you suspect that your system is infected, you need to act quickly:

  • Isolate the infected device by disconnecting from the internet and your network.
  • Use reliable antivirus software to detect and remove the ransomware.
  • Restore files from a clean backup.
  • Update all passwords and check security settings.

Keep in mind that antivirus software is more effective in preventing malware than removing it. If the infection persists or you can’t restore your files, you should get professional help.