Attacks and Vulnerabilities
Vendors

EKANS ransomware targeting industrial control systems

February 08, 2020
EKANS ransomware

In early January of this year, industrial cybersecurity provider Dragos published a private report to it’s Dragos WorldView Threat Intelligence customers. The report detailed a new  threat known as EKANS ransomware which first emerged in mid-December 2019.

EKANS is unique in its ability to forcibly stop processes related to industrial control systems. Recognizing the devastating consequences this threat could have, on February 3, Dragos decided to release it’s findings to the public.

“While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static ‘kill list’ shows a level of intentionality previously absent from ransomware targeting the industrial space,” Dragos says in it’s report. “ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.”

[optin-monster-shortcode id=”dv4jqlr9fih8giagcylw”]

Dragos is one of several cybersecurity firms currently examining the EKANS ransomware, sometimes referred to as Snake. SentinelLabs observed the ransomware in targeted campaigns throughout the month of January.

“Snake, like other targeted ransomware campaigns, has the potential to do serious and critical damage to an infected environment,” SentinelLabs said in a report. “As always we should stay aware and vigilant, and aggressively defend environments against this type of attack. Part of this strategy comes down to properly choosing, deploying, and maintaining a modern endpoint protection technology. It is also critical to have functional and well-tested backup procedures in place as part of your greater business continuity and disaster recovery planning.”

According to Dragos, EKANS is a relatively straightforward kind of ransomware in terms of encrypting files and displaying a ransom note. However, the ransom was designed to terminate named processes on victim machines. This differs from previous ransomware variants targeting ICS environments, because these IT-focused variants were distributed into control system environments by way of enterprise mechanisms.

Dragos also identified a relationship between EKANS and ransomware called MEGACORTEX, which also contained some ICS-specific characteristics. Last year, MEGACORTEX was involved in at least 47 known attacks during one 48-hour period.

“EKANS underscores the importance for asset owners and operators to achieve visibility into their assets,” Dragos says. “By taking stock of available assets and connections within an environment, asset owners can understand the potential consequences of an adversary deploying ICS-specific ransomware against a certain asset, the impact to operations or related processes, and take measures to defend against them.”

Some experts, including cybersecurity firm Otorio, believe EKANS is linked to Iran.

“Iran has targeted its neighbors’ industrial infrastructure more than once. Furthermore, Iran’s hackers are known to learn from the capabilities and actions of others and to copy and utilize them to their advantage,” Otorio said in a January 27 report. “Using an already proven” malware (i.e. MegaCortex) and honing it (to target ICSs) is a hallmark of the operation methods of Iranian hackers. This makes Iran not only the immediate suspect – but a highly likely one as well.”

However, Dragos says there is little evidence to demonstrate a link between EKANS and Iran.

“While any connection to “strategic interests” are possible given the size and scope of most states’ long-term strategy, Dragos analysis finds any such link to be incredibly tenuous based upon available evidence,” Dragos says. “Overall, no strong or compelling evidence exists to link EKANS with Iranian strategic interests.”

Dragos asserts that EKANS seems to be the work of cybercriminals instead of state-sponsored actors, a fact that makes the ransomware all the more troubling.

“EKANS despite its limited functionality and nature represents a relatively new and deeply concerning evolution in ICS-targeting malware,” Dragos says. “Whereas previously ICS-specific or ICS-related malware was solely the playground of state-sponsored entities, EKANS appears to indicate non-state elements pursuing financial gain are now involved in this space as well, even if only at a very primitive level. As a result, it is incumbent upon ICS asset owners and operators to learn from not only how EKANS itself functions, but the myriad ways in which malicious software like EKANS can propagate and be distributed in control system environments to prepare actionable, relevant defense.”

Rebecca Addison
Industrial Cyber Editor. Rebecca Addison is a former newspaper editor with a decade of experience in the media industry. During her career, she has interviewed world leaders and corporate CEOs, and covered topics ranging from blockchain and CBD to healthcare and education.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats