Like most ransomware strains, Snake ransomware won’t slither near your operating system files and programs, so your computer will still boot up, log in, and let you open your programs, so for all intents and purposes you still have a working system, but your most critical files, including documents, spreadsheets, photos, videos, music, tax returns, business plans and others, are scrambled with a randomly chosen encryption key.
The original filename and directory are then recorded, with the decryption key stored and the special tag EKANS, which is SNAKE written backwards, finishes off the encrypted file name.
The decryption key for each file is itself encrypted using what’s known as public-key encryption, which is a special sort of encryption algorithm in which there are two keys, rather than one, so that the key used for locking the data can’t be used to then unlock it.
This type of malware generates a random key to encrypt the file, using what’s called a symmetric or secret-key encryption algorithm. To decrypt the file, you need the private key to unlock the symmetric key; then the symmetric key to unlock the file.
But why not just use public key cryptography alone to lock and unlock the file? The answer is that symmetric cryptography is ideally suited for scrambling large amounts of data, but public key crypto is much slower and suited only for scrambling small amounts of data.
But why is it called Snake ransomware?
The hackers use the EKANS marker, unencrypted, at the end of every encrypted file. We can only assume that this was done as an easy way of identifying an encrypted file if you decide to pay up and purchase the decryption key.
Most ransomware marks scrambled files by adding an unusual extension to file names so they stand out.
Snake ransomware also adds a different, randomly chosen string of characters to the names of encrypted files, so that they can’t be picked out by name alone:
This ransomware actually writes this file, called Fix-Your-Files.txt, into what Windows calls the ‘public desktop’, usually in the C Drive. If the ransomware isn’t run with administrator privileges, then although it will be able to overwrite all your files, it won’t be able to write to the Public folder, and will end up in another hidden folder where you’re likely to miss it.
We think the ransomware was designed to give administrator access across a compromised network to inflict maximum damage, and have programmed this strain that way.
The “What happened to your files?” document says:
We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more.
Another interesting nugget about Snake ransomware is that the programmers behind it don’t intend to target individual users on your network, but instead go after everyone.
What to do to Prevent a “Snakebite”?
Don’t run unexpected attachments.
Don’t open up remote access to your network unless you really need to.
Don’t ignore any possible warning signs in your security logs. If you spot them first, don’t let other users on your network talk you into softening up login security. Employ 2FA, where you need to copy a one-time code off your phone every time you login.
If you are still having trouble, consider contacting remote technical support options.
