Cyber Threat Actor: SNAKE
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
1 incident |
|---|
Profile
The threat actor tracked under the aliases EKANS and SNAKE is recognized as a ransomware operator that has been observed targeting corporate networks in Europe and Asia. Open source reporting indicates the actor is believed to be based in Russia, though no public attribution to a specific state sponsor or criminal consortium has been made. The group’s activity is primarily financially motivated, as evidenced by its use of ransomware to encrypt files and demand payment for decryption keys.
Observations of the actor’s tactics reveal a consistent reliance on the Snake/EKANS ransomware payload, which incorporates pre‑execution checks for internal domain names and IP addresses before proceeding with encryption. If those checks fail, the malware terminates without encrypting files, a behavior seen in both the Enel Group and Honda incidents. Initial access frequently involves exposed remote desktop services, a vector noted for the Enel and Honda compromises. The ransomware is also known to exfiltrate data prior to deploying its encryption routine and to terminate processes associated with SCADA and industrial control systems, indicating a focus on operational technology environments.
Publicly reported operations include the June 2020 incident against Enel Group, where the actor’s ransomware was detected by antivirus tools before widespread encryption, leading to temporary network isolation but no impact on critical power infrastructure. A contemporaneous Honda network disruption in Europe and Japan was linked to a Snake sample that checked for the internal mds.honda.com domain, with the company confirming no data breach at the time. In May 2020, reports associated the Snake ransomware with an attack on Fresenius, Europe’s largest private hospital operator, although the company did not confirm the malware’s involvement. In each case the actor’s efforts were largely thwarted by detection mechanisms, resulting in limited operational disruption and no confirmed data theft.
While the actor’s geographic origin is cited as Russia, no definitive links to state‑affiliated groups or larger criminal alliances have been established in the available material. The actor remains characterized by its use of domain‑specific ransomware checks, reliance on exposed RDP for entry, and a pattern of targeting energy, automotive, and healthcare sectors for financial gain.
