News

Lessons learned from the Fresenius ransomware cyberattack

Daniel Dimov
July 9, 2020 by
Daniel Dimov

Introduction to the Snake ransomware

Fresenius is a German company that provides various health care services, including services for dialysis of people with chronic kidney failure. In the United States, it has about 40% of the market share for dialysis. The company has about 300,000 employees in more than 100 countries. Forbes Global 2000 ranks Fresenius at the 258th position.

In 2020, Fresenius reportedly was subject to a cyberattack utilizing the Snake ransomware (often simply called the “Snake”). The company confirmed that it experienced a malware infection. More specifically, Matt Kuhn, a spokesperson for Fresenius noted: “I can confirm that Fresenius’ IT security detected a computer virus on company computers.”

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

The attack on Fresenius needs to be accepted as a serious warning about the negative effect malware applications can have on the public health. Since the services offered by Fresenius and other major health care providers are in high demand due to the COVID-19 crisis, cyberattacks on such organizations may lead to the suspension of vitally important equipment, causing the deaths of thousands of vulnerable individuals.

This article will examine the Snake which was used for the attack on Fresenius. Afterwards, we will provide recommendations on how health care organizations can avoid being compromised with similar malware. 

An overview of the Snake

The Snake is often used in high-profile cyberattacks. In addition to the attack on Fresenius, it was also reportedly used in the attacks against the Japanese car producer Honda and the South American energy company Enel Argentina.

The Snake was discovered in the beginning of 2020. It is written in Golang, a programming language designed at Google. Once the Snake infects a computer, it stops various processes related to network management software, virtual machines, supervisory control and data acquisition (SCADA) systems, remote management tools and industrial control systems. 

Next, the Snake encrypts all files on the infected device, with the exception of certain system files. The malware adds five characters to the file extension names of the infected files. For instance, a file named report.doc may, after being encrypted, be renamed report.docvgtyp. For some reason, the Snake requires a lot of time to encrypt the files stored on the infected computer.

After the malware completes the encryption process, it will create a note named Fix-Your-Files.txt. The note informs the victim that their corporate network was breached and the data stored on the computers connected to the network was encrypted. The note also states that the victim may decrypt the files by contacting the fraudsters at a specified email address and purchasing a decryption tool. To persuade the victim that their files will really be encrypted if they purchase a decryption tool, the crooks promise to decrypt three free of charge.

How to prevent infections with the Snake or similar malware

The Snake can only “bite” if the attackers bypass the security mechanisms of the targeted computers. This is usually done by sending phishing messages containing malicious attachments. Such attachments may contain the Snake or remote access software that allows the fraudsters to install the Snake whenever they prefer. 

This means that to prevent infections with the Snake, organizations need to adopt comprehensive anti-phishing policies stating conditions which need to be met for an email attachment to be opened. Some example conditions:

  1. Scanning attachments by using anti-malware software
  2. In case of doubt about the authenticity of an email, calling the sender by phone
  3. Making sure that, if a Microsoft Word file is opened, macros and malicious links will not be activated
  4. Checking whether the email address from which a suspicious email was sent corresponds to the actual email address of the purported sender

Organizations willing to protect against the Snake will benefit from closing any remote access to their networks, unless such access is really necessary. This is because ransomware operators often utilize remote access systems, such as the Remote Desktop Protocol (RDP), to conduct malware attacks. RDP can be used to elevate the privileges of threat actors, create security vulnerabilities for future use, gain control over large parts of computer networks and deploy malware on the infected computers. 

If, for some reason, it isn’t feasible to completely turn off the RDP, it is recommended to:

  1. Put the RDP behind a VPN
  2. Use a Remote Desktop Gateway Server, which gives an additional security layer
  3. Use strong passwords
  4. Enable the Network Level Authentication (NLA), which enhances security by requiring user authentication

The use of multi-factor authentication is an important way to protect against the Snake. This refers to an authentication method requiring computer users to present two or more pieces of evidence. For example, a two-factor authentication may require the user to type a password and a code that will be sent to her mobile phone. Even if fraudsters succeed to get access to the password, they will not be able to install the Snake on the targeted computer, as they will also need physical access to the user’s mobile phone.

Concluding remarks regarding the Fresenius ransomware cyberattack

The Snake should not be underestimated. It is a highly potent malware that succeeded at paralyzing the computer systems of many large companies. Once the ransomware encrypts the files stored on a computer system, there is little one can do to regain access to the files, without paying the requested ransom. 

Fresenius reportedly paid USD $1.5 million to resolve a previous malware infection and likely paid even more to restore the files encrypted by the Snake. Therefore, organizations willing to avoid an infection with the Snake need to focus mainly on preventive measures. 

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

 

Sources

  1. SNAKE Ransomware Is the Next Threat Targeting Business Networks, BleepingComputer
  2. How to protect your RDP access from ransomware attacks, Malwarebytes Labs
  3. Snake alert! This ransomware is not a game…, Naked Security by Sophos
  4. Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware, Krebs on Security
  5. Snake Ransomware Delivers Double-Strike on Honda, Energy Co., Threatpost
Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.