Snake ransomware operators have launched a global cyberattack campaign by infecting organizations. Read on to know more…
Security researchers attributed a spike in Snake ransomware activity to a new campaign that’s targeted organizations worldwide. Snake ransomware operators are back from a short hibernation and have launched a global cyberattack campaign, infecting organizations in its wake. Among these organizations, there is at least one healthcare organization. The healthcare organization is none other than Fresenius – Europe’s largest private hospital operator.
Snake ransomware first attracted the attention of malware analysts in January 2020 when they observed the crypto-malware family targeting entire corporate networks. Shortly after this discovery, the threat quieted down. It produced few new detected infections in the wild for the next few months. That was until May 4, when ID Ransomware registered a sudden spike in submissions for the ransomware.
As reported by Bleeping Computer, these submissions were part of a large campaign that targeted organizations around the world. Among those hit by Snake ransomware in this campaign was Fresenius, Europe’s largest private hospital operator. A spokesperson for Fresenius confirmed to KrebsonSecurity that the organization was grappling with an infection of malicious software.
The Campaign
The campaign jump-started on 4th May when organizations from everywhere around the globe and across every vertical were targeted. The attack on Fresenius compromised the company’s operations everywhere worldwide. This is a fairly new strain that holds the data and IT system hostage in lieu of digital currency.
Threat actors employ enterprise-targeting ransomware to infiltrate the network, collect credentials, and then encrypt the files on the network. With COVID-19, healthcare organizations are constantly becoming the target for ransomware attacks as they are engaged in virus response. Moreover, Snake steals unencrypted files before encrypting the computers on a network.
The list of enterprise-targeting ransomware is growing longer by the day. It includes Maze, Ryuk, LockerGoga, Sodinokibi, DoppelPaymer, MegaCortex, and BitPaymer, with the latest addition being Snake. The attackers are suspected to be seeking intelligence on healthcare policies (national and international) or obtain sensitive data related to COVID-19 research.
According to an alert issued by the CISA, APT actors are persistently targeting healthcare organizations, academia, medical research facilities, pharma companies, and local governments. It has been confirmed by the spokesperson of Fresenius that the company was dealing with a computer virus. However, they have not made any comments on the payment of ransom.
Snake ransomware has targeted an architectural firm in France and a prepaid debit card company. The ransomware is written in Golang and has a higher level of obfuscation as compared to other infections.
Conclusion
Snake is still being analyzed for weaknesses and it is yet unknown if the decryption can be done for free. It is not known for sure if the Snake operators are stealing unencrypted files or if they have a data “leak” site similar to other ransomware operations.
Organizations should take this campaign seriously, especially after security researchers found that Snake had begun mimicking other families by threatening to publish the data of victims who refused to pay their ransoms. In response, organizations should consider taking steps to prevent a crypto-malware infection in the first place. They can use these steps to begin securing their assets against a ransomware attack.
