Snake bites Honda motors: Ransomware/Snake

Snake ransomware is found to be in the wild targeting Industrial control systems (ICS) since December 2019. Interestingly this malware is written in Go programming language, implementing obfuscation techniques up to certain extend. It has hit the Hondo motors network disrupting manufacturing in 9 factories in United States. The malware has encrypted critical files in essential systems rendering them unusable. Snake malware terminates several processes related to Endpoint Security, ICS, Visualization, Remote administration, network management, etc.

Technical details

Ransomware creates a mutex “EKANS” (snake in reverse) to avoid duplicate process execution on the victim’s computer. The ransomware doesn’t lock the files in the machine if the mutex creation fails (exists already).

It terminates the following processes in the infected systems:

One third of the processes it terminates are related to Industrial control systems (ICS).

The malware avoids encrypting files inside the following directories:

  • %SystemDrive%\AppData
  • %SystemDrive%\Boot
  • %SystemDrive%\Windows
  • %SystemDrive%\$Recycle.Bin
  • %SystemDrive%\ProgramData
  • %SystemDrive%\Program Files
  • %SystemDrive%\System Volume Information

The malware tries to resolve the domain, which is hard coded  in the binary.

The DNS details of the domain,

In every locked (encrypted) file, the malware adds the string EKANS at the end of the file. It creates a file Fix-Your-Files.txt in the desktop with ransom note.