Security researchers have been baffled by a mysterious piece of ransomware which they believe is designed to specifically target industrial control systems - information systems used to monitor complex industrial processes and critical infrastructures that deliver power, water, transport, manufacturing and other essential services.
EKANS is an obfuscated ransomware variant written in the Go programming language first observed in late December 2019. In addition to common ransomware capabilities, EKANS features functionality to forcibly stop a number of processes, including multiple items related to ICS operations, cybersecurity firm Dragos says.
“While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static “kill list” shows a level of intentionality previously absent from ransomware targeting the industrial space”, the report said.
Once infecting the victim, the malware checks if a Mutex value, “EKANS”, is present on the target systems. If the Mutex value is present, the malware will abort activity, otherwise it will set the Mutex value and will start the encryption process. Before proceeding to file encryption operations, the ransomware force stops (“kills”) processes listed by process name in a hard-coded list within the encoded strings of the malware. The listed processes are related to security or management software (Qihoo 360 Safeguard and Microsoft System Center), databases (Microsoft SQL Server), data backup solutions ( IBM Tivoli), or ICS-related processes.
Since EKANS has no built-in propagation or spreading mechanism, it must be launched either interactively or via script to infect a host, Dragos explains.
During the analysis, the researchers discovered a link between the EKANS malware and another ICS-targeting ransomware family, MEGACORTEX. Specifically, process kill activity similar to EKANS was spotted in a newer variant of MEGACORTEX in mid-2019.
While previous report from Israely cybersecurity firm Otorio has tied the EKANS malware to Iranian state-sponsored hackers, Dragos found links to be “incredibly tenuous” based upon available evidence.
“Absent any additional context, EKANS instead appears to be a fairly standard ransomware variant, albeit with some additional concerning functionality. While there are examples of ransomware-like malware being used as a means to achieve widespread destruction, no evidence exists that EKANS was designed to mimic such functionality. Furthermore, past experience both in cyber and physical realms (since Iranian-linked interests were happy to launch missiles and destructive drones against Saudi oil infrastructure in September 2019) adds a significant burden to the argument such an actor would desire or need to obfuscate operations,” the report said
The report also noted that the ransomware the company analyzed indicates the involvement of cybercriminal group pursuing financial gain (albeit on the primitive level) rather than state-sponsored entities.