Another week in ransomware, and another malware family has adopted the practice of publishing data of victims online.

SpearTip has confirmed Snake (file extension .ekans) has begun engaging along the same lines of NetWalker, Clop, and Maze ransomware families. These groups not only ransom environments, but also are actively exfiltrating data and posting this online to demand a ransom payment.

Originally reported by BleepingComputer in January of 2020, Snake Ransomware has been relatively quiet since its original inception in January. Greater awareness of Snake increased around May 6, 2020 when Fresenius, Europe’s largest private hospital operator was hit with the ransomware according to Fresenius is a major provider of dialysis products and services being utilized heavily due to the current COVID-19 pandemic.

Furthermore, Snake Ransomware, around May 10, 2020, began posting over 200 records, allegedly from Fresenius Medical Care, of victim data including customer names, gender, birth date, nationality of the patient, address and phone number stating, “there’s more to come.” This is an increasingly common switch in strategy within the ransomware marketplace where bad actors are posting data on top of ransoming these companies.

Courtesy of BleepingComputer

Similar to Emotet, SpearTip threat researchers found multiple pieces of the malicious code written in Delphi. Also similar to Emotet and other trojans, this ransomware has the capability to spread across a network without having to be pushed by a bad actor.

Additionally, on top of having the capability to spread automatically, based on SpearTip’s analysis, this malware appears to be specifically searching networks for Industrial Control Systems and COVID-19 related systems. APT groups targeting healthcare and essential services was first publicly briefed by the US-Cert May 5, 2020.  

From SpearTip’s observations, Snake is the latest in the long list of malware variants known for exfiltrating data. To learn more about what we have talked about recently, read our blog on the shift from encryption to extortion.

For more information on how to prepare for an event like this, visit or email [email protected] to speak with a cybersecurity professional.

24/7 Breach Response: 833.997.7327