Full Report
According to Kaspersky ICS CERT data, a number of industrial companies are currently experiencing targeted attacks involving the Snake encryption ransomware.
Analysis Summary
# Incident Report: Targeted Snake (EKANS) Ransomware Attacks on Industrial Entities
## Executive Summary
In June 2020, multiple global industrial organizations, including Honda and Enel Group, were targeted by Snake (also known as EKANS) ransomware. The attacks featured highly customized malware samples designed to execute only within specific internal networks by verifying local domain names and IP addresses. The campaign resulted in significant operational disruptions, affecting customer services, financial departments, and even industrial video surveillance systems.
## Incident Details
- **Discovery Date:** June 8, 2020
- **Incident Date:** Continuous throughout early-to-mid 2020
- **Affected Organizations:** Honda, Enel Group, unnamed German auto-supply and medical equipment manufacturers.
- **Sector:** Industrial, Manufacturing (Automotive), Energy, Healthcare.
- **Geography:** Global (Japan, Europe, China).
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-June 2020 (Reconnaissance and initial penetration phases).
- **Vector:** Likely credential theft or exploitation of external-facing assets (not explicitly detailed, but required to gain "Domain Admin" privileges for the final stage).
- **Details:** Attackers conducted multi-stage operations to gather internal network specifics (Internal DNS and IP schemes) before compiling the ransomware.
### Lateral Movement
- **Mechanism:** Use of compromised Domain Administrator accounts.
- **Details:** The malware was spread throughout the local networks using Domain Policies (GPOs) and scripts located in the `sysvol` folders.
### Data Exfiltration/Impact
- **Impact:** Encryption of critical business data, including virtual drives, databases (Microsoft Access), source code (C#, PHP, JS), and project files.
- **Operational Impact:** Honda reported technical difficulties in Customer and Financial Services; China-based victims saw impacts on industrial video surveillance servers.
### Detection & Response
- **Discovery:** Honda reported network issues on June 8; security researchers identified a Snake sample on VirusTotal querying `mds.honda[.]com`.
- **Response:** Kaspersky and other firms identified related samples; affected organizations suspended impacted services to contain the spread.
## Attack Methodology
- **Initial Access:** Likely multi-stage hacking targeting specific organizations.
- **Persistence:** Utilization of Windows Task Scheduler and Domain Policy scripts.
- **Privilege Escalation:** Achievement of Domain Administrator privileges.
- **Defense Evasion:** Malware includes a "kill switch" that terminates the process if the unique internal Domain/IP string does not match the environment, preventing analysis in sandboxes or external labs.
- **Credential Access:** Compromise of domain administrator accounts.
- **Discovery:** Internal DNS reconnaissance to identify local IP/Domain mappings.
- **Lateral Movement:** Execution via `nmon.bat` in domain policy script folders.
- **Collection:** Targeting of specific industrial and development file extensions.
- **Impact:** Ransomware encryption (Final Stage).
## Impact Assessment
- **Financial:** Significant (likely millions in recovery and lost productivity, though specific figures are not disclosed).
- **Data Breach:** Encryption of intellectual property (source code) and operational data.
- **Operational:** High; disruption of customer-facing services and internal production-support systems.
- **Reputational:** High; global news coverage of the Honda and Enel outages.
## Indicators of Compromise
### Network Indicators
- `mds.honda[.]com` (internal domain check)
- [Specific Internal IP addresses unique to victims - not publicly listed]
### File Indicators (MD5)
- `ED3C05BDE9F0EA0F1321355B03AC42D0`
- `7DDB09DB3FB9B01FA931C2A1A41E13E1`
- `C547141B8A690EEE313C0F6CE6B5CCA6`
- **Filenames:** `nmon.exe`, `nmon.bat`, `KB3020369.exe`, `KB[7_random_numbers].exe`
### Behavioral Indicators
- Execution of batch files from `%sysvol%\[domain_name]\scripts`
- Unexpected DNS queries for internal service records followed by mass file encryption.
## Response Actions
- **Containment:** Blocking of malicious MD5 hashes and isolation of affected servers.
- **Eradication:** Audit and removal of unauthorized GPOs and scheduled tasks.
- **Recovery:** Restoration of files from offline backups.
- **Remediation:** Forced password resets for all accounts in the Domain Administrator group.
## Lessons Learned
- **Targeting Sophistication:** Attackers are now tailoring ransomware code to the victim's specific internal network architecture to bypass automated sandbox detection.
- **GPO as a Weapon:** The use of Domain Policies for malware distribution underscores the critical need for monitoring the `sysvol` directory and changes to group policies.
- **IT/OT Convergence:** The impact on video surveillance shows that ransomware increasingly bleeds into industrial monitoring and control environments.
## Recommendations
1. **Restrict Privileged Accounts:** Implement the principle of least privilege and use Tiered Administration to protect Domain Admin credentials.
2. **Monitor GPO Changes:** Auditing of the `scripts` folder within `SYSVOL` for any unauthorized `.bat` or `.exe` files.
3. **Network Segmentation:** Isolate critical industrial systems (like surveillance or ICS components) from the general corporate IT network.
4. **Enhanced DNS Logging:** Monitor for unusual internal DNS enumeration patterns.
5. **Offline Backups:** Maintain immutable, offline backups to ensure recovery without paying ransoms.