Lessons learned from the Fresenius ransomware cyberattack
Introduction to the Snake ransomware
Fresenius is a German company that provides various health care services, including services for dialysis of people with chronic kidney failure. In the United States, it has about 40% of the market share for dialysis. The company has about 300,000 employees in more than 100 countries. Forbes Global 2000 ranks Fresenius at the 258th position.
In 2020, Fresenius reportedly was subject to a cyberattack utilizing the Snake ransomware (often simply called the “Snake”). The company confirmed that it experienced a malware infection. More specifically, Matt Kuhn, a spokesperson for Fresenius noted: “I can confirm that Fresenius’ IT security detected a computer virus on company computers.”
Phishing simulations & training
The attack on Fresenius needs to be accepted as a serious warning about the negative effect malware applications can have on the public health. Since the services offered by Fresenius and other major health care providers are in high demand due to the COVID-19 crisis, cyberattacks on such organizations may lead to the suspension of vitally important equipment, causing the deaths of thousands of vulnerable individuals.
This article will examine the Snake which was used for the attack on Fresenius. Afterwards, we will provide recommendations on how health care organizations can avoid being compromised with similar malware.
An overview of the Snake
The Snake is often used in high-profile cyberattacks. In addition to the attack on Fresenius, it was also reportedly used in the attacks against the Japanese car producer Honda and the South American energy company Enel Argentina.
The Snake was discovered in the beginning of 2020. It is written in Golang, a programming language designed at Google. Once the Snake infects a computer, it stops various processes related to network management software, virtual machines, supervisory control and data acquisition (SCADA) systems, remote management tools and industrial control systems.
Next, the Snake encrypts all files on the infected device, with the exception of certain system files. The malware adds five characters to the file extension names of the infected files. For instance, a file named report.doc may, after being encrypted, be renamed report.docvgtyp. For some reason, the Snake requires a lot of time to encrypt the files stored on the infected computer.
After the malware completes the encryption process, it will create a note named Fix-Your-Files.txt. The note informs the victim that their corporate network was breached and the data stored on the computers connected to the network was encrypted. The note also states that the victim may decrypt the files by contacting the fraudsters at a specified email address and purchasing a decryption tool. To persuade the victim that their files will really be encrypted if they purchase a decryption tool, the crooks promise to decrypt three free of charge.
How to prevent infections with the Snake or similar malware
The Snake can only “bite” if the attackers bypass the security mechanisms of the targeted computers. This is usually done by sending phishing messages containing malicious attachments. Such attachments may contain the Snake or remote access software that allows the fraudsters to install the Snake whenever they prefer.
This means that to prevent infections with the Snake, organizations need to adopt comprehensive anti-phishing policies stating conditions which need to be met for an email attachment to be opened. Some example conditions:
- Scanning attachments by using anti-malware software
- In case of doubt about the authenticity of an email, calling the sender by phone
- Making sure that, if a Microsoft Word file is opened, macros and malicious links will not be activated
- Checking whether the email address from which a suspicious email was sent corresponds to the actual email address of the purported sender
Organizations willing to protect against the Snake will benefit from closing any remote access to their networks, unless such access is really necessary. This is because ransomware operators often utilize remote access systems, such as the Remote Desktop Protocol (RDP), to conduct malware attacks. RDP can be used to elevate the privileges of threat actors, create security vulnerabilities for future use, gain control over large parts of computer networks and deploy malware on the infected computers.
If, for some reason, it isn’t feasible to completely turn off the RDP, it is recommended to:
- Put the RDP behind a VPN
- Use a Remote Desktop Gateway Server, which gives an additional security layer
- Use strong passwords
- Enable the Network Level Authentication (NLA), which enhances security by requiring user authentication
The use of multi-factor authentication is an important way to protect against the Snake. This refers to an authentication method requiring computer users to present two or more pieces of evidence. For example, a two-factor authentication may require the user to type a password and a code that will be sent to her mobile phone. Even if fraudsters succeed to get access to the password, they will not be able to install the Snake on the targeted computer, as they will also need physical access to the user’s mobile phone.
Concluding remarks regarding the Fresenius ransomware cyberattack
The Snake should not be underestimated. It is a highly potent malware that succeeded at paralyzing the computer systems of many large companies. Once the ransomware encrypts the files stored on a computer system, there is little one can do to regain access to the files, without paying the requested ransom.
Fresenius reportedly paid USD $1.5 million to resolve a previous malware infection and likely paid even more to restore the files encrypted by the Snake. Therefore, organizations willing to avoid an infection with the Snake need to focus mainly on preventive measures.
See Infosec IQ in action
Sources
- SNAKE Ransomware Is the Next Threat Targeting Business Networks, BleepingComputer
- How to protect your RDP access from ransomware attacks, Malwarebytes Labs
- Snake alert! This ransomware is not a game…, Naked Security by Sophos
- Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware, Krebs on Security
- Snake Ransomware Delivers Double-Strike on Honda, Energy Co., Threatpost
In this Series
- Lessons learned from the Fresenius ransomware cyberattack
- Canada Flipper Zero ban and new RustDoor macOS malware
- AnyDesk hack and iPhone patched kernel flaw
- Tesla Pwn2Own hacks and iOS push alerts abuse
- TeamViewer breach and Atlassian Jira outage
- Moscow ISP revenge hack and Microsoft Sharepoint bug warning
- X verified accounts hack and SpectralBlur macOS malware
- CISA default password alert and SOHO KV-botnet campaign
- New 5G modem flaws and Apple’s data breach report
- Staples cyberattack, Agent Racoon backdoor and other news
- British Library ransomware attack, Windows fingerprint authentication bypass
- Samsung UK data breach and ransomware actor’s SEC complaint
- ICBC ransomware attack and ChatGPT outage
- Boeing Lockbit ransomware attack, Apple’s vulnerability and WhatsApp mods spyware
- Octo Tempest hacking group and new iLeakage attack
- Okta support system breach and Google Ads fake KeePass campaign
- Skype DarkGate malware, Shadow PC breach and AvosLocker ransomware warning
- 23andMe data theft, MGM’s $100M ransomware loss and the Azure VM breach
- Malicious Bing Chat ads and FBI’s dual ransomware warning
- T-Mobile app glitch and fake Booking.com pages
- Airbus data leak, Cisco Webex ad malware and €345 million TikTok fine
- New Apple iMessage exploit and CISA’s Apache RocketMQ warning
- Forever 21 data breach and Android BadBazaar espionage
- Duolingo data leak and the Met Police IT hack
- Discord.io data breach and Ivanti Avalanche vulnerabilities
- UK Electoral Commission hack and Microsoft’s role in China email breach
- Salesforce email zero-day exploit and Microsoft Power Platform criticism
- Airlines disclose pilot data breach and the Microsoft Teams bug
- GravityRAT Android Trojan and new MOVEit Transfer flaw
- University of Manchester hack and Honda API flaws
- MOVEit zero-day exploit and the U.S. iPhone hack accusation
- Daam Android virus and Barracuda zero-day flaw
- TP-Link router exploit and 18-year-old charged with hacking DraftKings accounts
- Discord support hack and Toyota location data leak
- Twitter private tweets bug and Cisco phone router vulnerabilities
- Cisco XSS zero-day flaw and PaperCut vulnerabilities
- 3CX hackers hit critical infrastructure and secondhand routers cause security concerns
- Hyundai data breach and Microsoft’s warning to accountants
- Western Digital cloud breach and the MSI ransomware hack
- TMX loan data breach, Italy bans ChatGPT and WordPress Elementor Pro exploit
- ChatGPT data leak and Gmail message theft by North Korean hackers
- U.S. federal agency hack and the return of FakeCalls Android malware
- Massive AT&T data breach and fake jobs targeting security researchers
- U.S. Marshals service breach and TPM 2.0 security flaws
- Dangerous ChatGPT apps and food giant Dole ransomware attack
- GoDaddy malware installations, record-breaking DDoS attack and the new WhiskerSpy malware
- Reddit’s employees phished, healthcare firms targeted and the new Screenshotter malware
- JD Sports data breached, VMware ESXi servers attacked and the HeadCrab malware
- Yandex source code leaked, 4500+ WordPress sites hacked and the new SwiftSlicer malware
- PayPal accounts breached, Fortinet VPN flaw exploited, and the new Hook malware
- Twitter users’ emails leaked, ChatGPT used to write malware and Slack’s repository breach
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
