Mastodon

This ransomware is notable mostly because it’s trying really hard to avoid detection, harder than most ransomware do. For more information on the ransomware itself, first specialized articles detail its advanced obfuscation level. Here is an update on the behaviour of Stormshield Endpoint Security and Stormshield Network Security.

 

Stormshield Endpoint Security – threat management

Interestingly enough, all found technical materials deal with one specific malicious binary, and the malware is not packed in any way.
Blocking the execution of the malware’s specific hash could then be efficient to block SNAKE, at least this specific version.

Hash: e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60

And as with all ransomware, one of the most effective ways to stop it is to use SES Application Control to allow only specific applications to access known file extensions. For example to prevent abnormal processes from accessing Microsoft Office documents, allow only Office applications to access Office documents.

 

Stormshield Network Security – threat management

Breach Fighter and SNS Premium Antivirus options both detect the binary described above.

In general, Breach Fighter option is also able to detect data encryption operations performed by ransomware, even when the binary hash is not known yet.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Need help configuring your Stormshield products? Take a look at the Stormshield Technical Documentation site.
About the author
mm
Julien Paffumi Head of Product Management, Stormshield

Julien Paffumi began his career at Arkoon in the R&D department as a Quality Engineer. He then became Product Manager for Arkoon Fast360 firewalls, followed by the Stormshield Management Center centralised administration console, before becoming Product Portfolio Manager. Now Head of Product Management, Julien leads the Product Management team in collectively defining the direction of the entire Stormshield portfolio.