In the first three quarters of 2019, the world saw nearly 152 million ransom-ware attacks affecting every sector from government to education to healthcare. As the threat continues to grow, it costs businesses over $75 million per year. One cybersecurity group estimated a new ransomware infection happening every 14 seconds in 2019 and they expect that to accelerate to an infection every 11 seconds by 2021. Given that there are plenty of victims willing to pay to get their data back, it's no wonder that adversaries continue to develop new strains of ransomware while consistently integrating the most effective pieces of existing ones.
Starting off 2020 is yet another new ransomware strain dubbed SNAKE. Discovered by MalwareHunterTeam, this enterprise-targeting malware is going after big business. SNAKE starts by removing the system's Shadow Volume Copies, then kills any processes "related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and more."
SNAKE then encrypts all of the computer's files, except for certain system files. Researchers observed that it took longer than most other ransomware strains to finish the encryption process. The encrypted files are appended with five random characters after the file extension. The malware also adds an "EKANS" (SNAKE in reverse) file marker to each encrypted file.
Once the files are encrypted, SNAKE leaves the ransom note (Fix-Your-Files.txt) in the public Desktop folder. No specific ransom amount is quoted in the note, but a contact email address is provided, as well as instructions on how to get proof that the attackers have a working decryption key. Researchers also point-ed out that the wording of the ransom note may indicate that the decryption key is meant for the entire affected network, not just single systems.
At this time there is no free decryptor available, but researchers are working on it. For now, awareness is key as few details on infection vectors have been re-leased. If a link, email, or attachment looks suspicious, don't open it - report it. See something, say something.