Ransomware Recap: SnakeLocker Hides Under Two Names

Ransomware operators continue to diversify their attack tactics with the discovery of SnakeLocker—a new variant that uses two names in an attempt to dodge security scanners.

Detected by Trend Micro as Ransom_SnakeLocker, this new variant appends encrypted files with either a '.snake' or a '.TGIF' extension name to confuse security scanners and avoid detection. But while different in name, SnakeLocker still exhibits the same behavior no matter what the file extension is. It supports RSA and AES ciphers, which it describes as "a top notch, extremely secure encryption algorithm," in its ransom note. SnakeLocker scans local disks, network shares, and USB drives for photos, music, videos, databases, presentations, text and spreadsheets to encrypt, and is also capable of deleting Shadow Volume Copies from the hard drive.

Figure 1. SnakeLocker ransom note

In its ransom note, SnakeLocker poses as an accommodating file hostage-taker by politely outlining instructions to victims who may not know how to purchase Bitcoins (BTC). It demands victims to pay a ransom of 0.1 BTC to get their files back.

Here are other notable ransomware stories this week:


The Bam ransomware (Ransom_BAM.A) claims to have used a special crypto-code to encrypt the victims’ files. Its lock screen doesn’t mention any ransom amount, but it instructs the victim to contact the indicated email addresses to buy the needed decrypt tool.

Figure 2. Bam ransom note

When executed, Bam appends encrypted files with a .bam extension name and targets a large number of file types that include font, programming, database, word processor, and text file formats.


Figure 3. Symbiom ransom note

Meanwhile, run-of-the-mill ransomware variants still exist with the discovery of Symbiom (Ransom_CRYPTEARSYMB.A). This new variant adds ‘symbiom_ransomware_locked’ to the files it encrypt. It encrypts a variety of file types that include Microsoft Office documents, as well as video, audio, and image file formats, and demands a ransom of 0.1 Bitcoin (US$250) to decrypt the files.

Users and security administrators in organizations should stay vigilant against the diversifying threats of ransomware. Regularly backing up important files can mitigate the damage caused by a ransomware infection, but a multi-layered approach is key to defending all possible gateways from ransomware.

Ransomware Solutions

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimizes the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud. 

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware. 

For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat. 

End users and enterprises can also benefit from multilayered mobile security solutions such as Trend MicroMobile Security for Android™ (available on Google Play), and Trend MicroMobile Security for Apple devices (available on the App Store). Trend MicroMobile Security for Enterprise provide device, compliance and application management, data protection, and configuration provisioning, as well as protect devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites. 

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.