Snake ransomware attack hits power company Enel Group

News by Andrew McCorkell

The Enel Group was hit by a ransomware attack from EKANS (SNAKE) ransomware operators that affected its internal network, according to reports.

An EKANS (SNAKE) ransomware attack on The Enel Group was detected by on 7 June.

The company reportedly confirmed its internal IT network was disrupted due to a ransomware attack, which was caught by antivirus software before the malware could infect.

Tackling the incident meant the company had to isolate its corporate network for a limited time.

David Emm, principal security researcher at Kaspersky, said: “While the company hasn’t confirmed which ransomware, there have been reports that it is SNAKE, which has been used in the past in targeted ransomware attacks. Nor is it clear how the attackers were able to gain a foothold in the company’s network.

“The disruption appears to have been limited and related to the measures taken by Enel to deal with the infection. 

"Hackers seek to exploit vulnerabilities they can find in a system, including human fallibilities, to infiltrate networks - for many types of cyber-attack. So it’s vital that companies take steps to make their network as resilient as possible.”

Emm said all companies must:

  • Protect all corporate devices
  • Apply updates to operating systems and applications
  • Limit access to the network, and data stored on it, to those who need it
  • Ensure that staff use complex, unique passwords and multi-factor authentication to access corporate systems
  • Backup data regularly and ensure that backup drives are kept offline
  • Educate staff about the risks of clicking on attachments or links in unsolicited messages

In a statement, The Enel Group said isolating the network was to "carry out all interventions aimed at eliminating any residual risk” and that all connectivity was restored early on 8 June.

A company spokesperson said: “The Enel Group informs that on Sunday evening there was a disruption on its internal IT network, following the detection, by the antivirus system, of a ransomware.

"As a precaution, the company temporarily isolated its corporate network in order to carry out all interventions aimed at eliminating any residual risk. The connections were restored safely on Monday early morning.

“Enel informs that no critical issues have occurred concerning the remote control systems of its distribution assets and power plants, and that customer data have not been exposed to third parties. Temporary disruptions to customer care activities could have occurred for a limited time caused by the temporary blockage of the internal IT network.”

Enel was not available for further explanation and did not comment on the name of the ransomware used in the attack, though a researcher reportedly identified a SNAKE/EKANS sample.

In an email to SC Media UK, Oleg Kolesnikov, VP of Threat Research and head of Securonix Research Lab, Securonix, commented: “Over the past few months, manufacturers around the globe shut down offices and plants in accordance with lockdown measures due to the Covid-19 pandemic. The recent ransomware attack that impacted Enel’s internal network highlights that critical infrastructure is incredibly vulnerable to ransomware attack because there is often no other choice but to pay the ransom in order to continue providing a vital service. Fortunately Enel was able to limit the spread of malware, however future enterprises may not be so lucky.

"One of the things that sets the EKANS malware, which was reportedly used in the Enel ransomware attack, apart is a relatively high amount of manual effort/targeting typically involved in the operator placement activity, which can sometimes enable them to have a bigger impact on the victims. The same malware was recently used on a ransomware attack against car manufacturer Honda. With some of the recent attacks observed, it appears that the malicious threat actors are expanding the list of targets to manufacturing and critical infrastructure.

"While the attack behaviours used by the malicious ransomware payload itself are fairly trivial, the Golang-based payload encryption process, and also the list of processes that are terminated to maximise the ability of the ransomware to encrypt sensitive data and impact the targets appear to be longer that some of the other ransomware instances observed, and some of the past instances of the malware family also included impacting processes from the ICS/SCADA/OT environments, which is uncommon for ransomware.”

Andrew McCorkell recommends

Ransomware costs double if you pay up

Read more

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews