5 February 2020

Novel EKANS ransomware targets industrial control systems


Novel EKANS ransomware targets industrial control systems

Security researchers have been baffled by a mysterious piece of ransomware which they believe is designed to specifically target industrial control systems - information systems used to monitor complex industrial processes and critical infrastructures that deliver power, water, transport, manufacturing and other essential services.

EKANS is an obfuscated ransomware variant written in the Go programming language first observed in late December 2019. In addition to common ransomware capabilities, EKANS features functionality to forcibly stop a number of processes, including multiple items related to ICS operations, cybersecurity firm Dragos says.

“While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static “kill list” shows a level of intentionality previously absent from ransomware targeting the industrial space”, the report said.

Once infecting the victim, the malware checks if a Mutex value, “EKANS”, is present on the target systems. If the Mutex value is present, the malware will abort activity, otherwise it will set the Mutex value and will start the encryption process. Before proceeding to file encryption operations, the ransomware force stops (“kills”) processes listed by process name in a hard-coded list within the encoded strings of the malware. The listed processes are related to security or management software (Qihoo 360 Safeguard and Microsoft System Center), databases (Microsoft SQL Server), data backup solutions ( IBM Tivoli), or ICS-related processes.

Since EKANS has no built-in propagation or spreading mechanism, it must be launched either interactively or via script to infect a host, Dragos explains.

During the analysis, the researchers discovered a link between the EKANS malware and another ICS-targeting ransomware family, MEGACORTEX. Specifically, process kill activity similar to EKANS was spotted in a newer variant of MEGACORTEX in mid-2019.

While previous report from Israely cybersecurity firm Otorio has tied the EKANS malware to Iranian state-sponsored hackers, Dragos found links to be “incredibly tenuous” based upon available evidence.

“Absent any additional context, EKANS instead appears to be a fairly standard ransomware variant, albeit with some additional concerning functionality. While there are examples of ransomware-like malware being used as a means to achieve widespread destruction, no evidence exists that EKANS was designed to mimic such functionality. Furthermore, past experience both in cyber and physical realms (since Iranian-linked interests were happy to launch missiles and destructive drones against Saudi oil infrastructure in September 2019) adds a significant burden to the argument such an actor would desire or need to obfuscate operations,” the report said

The report also noted that the ransomware the company analyzed indicates the involvement of cybercriminal group pursuing financial gain (albeit on the primitive level) rather than state-sponsored entities.

Back to the list

Latest Posts

PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020
Croatia’s largest petrol station chain joins list of victims of ransomware attacks

Croatia’s largest petrol station chain joins list of victims of ransomware attacks

The CLOP ransomware family is suspected to be involved in the attack.
21 February 2020
WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

The flaw in the ThemeREX Addons plugin can be used to remotely execute code on websites.
20 February 2020