In early January of this year, industrial cybersecurity provider Dragos published a private report to it’s Dragos WorldView Threat Intelligence customers. The report detailed a new threat known as EKANS ransomware which first emerged in mid-December 2019.
EKANS is unique in its ability to forcibly stop processes related to industrial control systems. Recognizing the devastating consequences this threat could have, on February 3, Dragos decided to release it’s findings to the public.
“While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static ‘kill list’ shows a level of intentionality previously absent from ransomware targeting the industrial space,” Dragos says in it’s report. “ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.”
Dragos is one of several cybersecurity firms currently examining the EKANS ransomware, sometimes referred to as Snake. SentinelLabs observed the ransomware in targeted campaigns throughout the month of January.
“Snake, like other targeted ransomware campaigns, has the potential to do serious and critical damage to an infected environment,” SentinelLabs said in a report. “As always we should stay aware and vigilant, and aggressively defend environments against this type of attack. Part of this strategy comes down to properly choosing, deploying, and maintaining a modern endpoint protection technology. It is also critical to have functional and well-tested backup procedures in place as part of your greater business continuity and disaster recovery planning.”
According to Dragos, EKANS is a relatively straightforward kind of ransomware in terms of encrypting files and displaying a ransom note. However, the ransom was designed to terminate named processes on victim machines. This differs from previous ransomware variants targeting ICS environments, because these IT-focused variants were distributed into control system environments by way of enterprise mechanisms.
Dragos also identified a relationship between EKANS and ransomware called MEGACORTEX, which also contained some ICS-specific characteristics. Last year, MEGACORTEX was involved in at least 47 known attacks during one 48-hour period.
“EKANS underscores the importance for asset owners and operators to achieve visibility into their assets,” Dragos says. “By taking stock of available assets and connections within an environment, asset owners can understand the potential consequences of an adversary deploying ICS-specific ransomware against a certain asset, the impact to operations or related processes, and take measures to defend against them.”
Some experts, including cybersecurity firm Otorio, believe EKANS is linked to Iran.
“Iran has targeted its neighbors’ industrial infrastructure more than once. Furthermore, Iran’s hackers are known to learn from the capabilities and actions of others and to copy and utilize them to their advantage,” Otorio said in a January 27 report. “Using an already proven” malware (i.e. MegaCortex) and honing it (to target ICSs) is a hallmark of the operation methods of Iranian hackers. This makes Iran not only the immediate suspect – but a highly likely one as well.”
However, Dragos says there is little evidence to demonstrate a link between EKANS and Iran.
“While any connection to “strategic interests” are possible given the size and scope of most states’ long-term strategy, Dragos analysis finds any such link to be incredibly tenuous based upon available evidence,” Dragos says. “Overall, no strong or compelling evidence exists to link EKANS with Iranian strategic interests.”
Dragos asserts that EKANS seems to be the work of cybercriminals instead of state-sponsored actors, a fact that makes the ransomware all the more troubling.
“EKANS despite its limited functionality and nature represents a relatively new and deeply concerning evolution in ICS-targeting malware,” Dragos says. “Whereas previously ICS-specific or ICS-related malware was solely the playground of state-sponsored entities, EKANS appears to indicate non-state elements pursuing financial gain are now involved in this space as well, even if only at a very primitive level. As a result, it is incumbent upon ICS asset owners and operators to learn from not only how EKANS itself functions, but the myriad ways in which malicious software like EKANS can propagate and be distributed in control system environments to prepare actionable, relevant defense.”