Spotlight on NodeSnake

In Quorum Cyber’s webinar held on June 24 2025, Threat Intelligence Analyst Michael Forret, who recently uncovered two variants of the remote access trojan (RAT) malware, NodeSnake, and Principal Incident Responder Mark Cunningham-Dickie explained how to best detect it and protect your organisation from cybercriminals.

As covered in our NodeSnake blog, NodeSnake malware technical report, and NodeSnake Deep Dive article, the malware is likely being used by the threat actor Interlock, to target local government and higher education organisations.

The population of students in the higher education sector is especially transient. They tend to use many of their own devices, which are often not easily defended by standard security tools. University researchers can work around the world, often logging into systems from countries and regions that might, in other sectors, flag up potential issues.

Why EDR alone won’t prevent NodeSnake

Mark stressed that Endpoint Detection and Response (EDR), (the category of tools and solutions designed to monitor, detect, and respond to threats on endpoint devices such as computers, laptops, and servers) is not enough to stop NodeSnake, “because it doesn’t prevent the malware from running, or remediate the problem.” While an EDR solution should detect such malicious activity, “it won’t quarantine the malware or stop it from running”. He advised that organisations should implement the principle of least privilege, which only permits people to have access to what they need to do their job.

The NodeSnake webinar is now available to watch on-demand for free. It also includes an engaging Q&A session, which is summarised below.

Q&A with Quorum Cyber’s Threat Intelligence experts

As part of the live webinar, Michael and Mark responded to numerous questions submitted by viewers during the interactive Q&A, to add extra depth to their insights following their presentation.

Question: What steps should an organisation take to establish an incident response (IR) plan tailored to detecting and handling a NodeSnake infiltration?

Answer: Don’t tailor your IR plan so narrowly because you won’t be able to cope with the myriads of other malware strains in the threat landscape. However, having a playbook for malware isn’t a bad thing.

Question: What type of essential training can businesses undertake to teach their staff how to efficiently react in case of a cyber-attack?

Answer: Tabletop exercising (TTX) primarily, but this is only for organisations that already have an IR plan and IR playbook.

Question: Given the evolving nature of threats like NodeSnake malware, which key metrics should I prioritise when reporting to my board to communicate our cyber security posture?

Answer: Metrics need to be meaningful. The real value is when you can compare what’s happening to a baseline of ‘normal business metrics’ so you can tell what’s abnormal.

Question: Could NodeSnake be used by other cybercriminals beyond Interlock?

Answer: Yes, this malware could be used by other ransom operators. Threat actors do talk to each other on forums; they collaborate and share ideas.

Question: If an organisation identifies NodeSnake or any malware-related breach, what immediate actions should it take for prompt assistance and damage mitigation?

Answer: We would almost always encourage you to isolate the device and stop it ‘talking’ to anything else. But we would discourage you from wiping the device because it could contain evidence of the cybercrime for forensic investigators. Disconnect it from the network but leave it turned on. The memory might contain valuable information.

We should be adding a section about the next steps, as discussed in the webinar

What’s Next? How Quorum Cyber can help protect your organisation

Our services are designed to protect you before, during, and after any cyber security incident, wherever your organisation is on its security journey.

As the winner of the Microsoft Security MSSP of the Year for 2025, we provide a comprehensive range of professional services and three tiers of managed security services, plus Clarity Data for data security. Our Threat Intelligence and Incident Response teams offer Incident Response Preparedness, Incident Response Retainer, Emergency MDR and Brand and Credential Monitoring.