FANDOM


Ekans or Snake is a ransomware that runs on Microsoft Windows. It was discovered by MalwareHunterTeam. It is aimed at English-speaking users. It is written in Golang and contains a much high level of obfuscation than is commonly seen with ransomware.

Payload

Transmission

Ekans is distributed by hacking through an insecure RDP configuration. It can be spread using email spam and malicious attachments, deceptive downloads, botnets, exploits, malicious ads, web injects, fake updates, repackaged and infected installers.

Infection

When started Ekans will remove the computer's Shadow Volume Copies and then kill numerous processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and more.

It then proceeds to encrypt the files on the device, while skipping any that are located in Windows system folders and various system files. The list of system folders that are skipped can be found below:

windir
SystemDrive
:\$Recycle.Bin
:\ProgramData
:\Users\All Users
:\Program Files
:\Local Settings
:\Boot
:\System Volume Information
:\Recovery
\AppData\

When encrypting a file it will append a ransom 5 character string to the files extension. For example, a file named 1.doc will be encrypted and renamed like 1.docqkWbv.

In each file that is encrypted, Ekans will append the 'EKANS' file marker. It takes a particularly long time to encrypt a computer.

When done encrypting the computer, the ransomware will create a ransom note in the C:\Users\Public\Desktop folder named Fix-Your-Files.txt. This ransom note contains instructions to contact a listed email address for payment instructions. This email address is currently bapcocrypt@ctemplar.com. The ransom note saids the following:

--------------------------------------------

| What happened to your files? 

--------------------------------------------

We breached your corporate network and encrypted the data on your 
computers. The encrypted data includes documents, databases, photos and 
more -

all were encrypted using a military grade encryption algorithms (AES-256 
and RSA-2048). You cannot access those files right now. But dont worry!

You can still get those files back and be up and running again in no 
time. 


---------------------------------------------

| How to contact us to get your files back?

---------------------------------------------

The only way to restore your files is by purchasing a decryption tool 
loaded with a private key we created specifically for your network. 

Once run on an effected computer, the tool will decrypt all encrypted 
files - and you can resume day-to-day operations, preferably with

better cyber security in mind. If you are interested in purchasing the 
decryption tool contact us at bapcocrypt@ctemplar.com


-------------------------------------------------------

| How can you be certain we have the decryption tool?

-------------------------------------------------------

In your mail to us attach up to 3 files (up to 3MB, no databases or 
spreadsheets).

We will send them back to you decrypted.
Community content is available under CC-BY-SA unless otherwise noted.