New ransomware targets industrial control systems

With the ransomware threat is surging unstoppably in the last few years, it was just a matter of time until ICS-specific ransomware became a reality.

Researchers from various security outfits have been analyzing EKANS (aka Snake) since it emerged in mid-December 2019 and found that, among other things, it’s capable of stopping a number of processes (applications) related to ICS (industrial control system) operations.

“While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static ‘kill list’ shows a level of intentionality previously absent from ransomware targeting the industrial space,” Dragos researchers pointed out.

How does this ICS-specific ransomware work?

Analyzed by researchers from the MalwareHunterTeam, SentinelOne and Dragos, the EKANS ransomware presents many characteristics of general-purpose ransomware targeting Windows-based systems: when delivered on target systems, it first checks whether it’s already present then, if not, it forcefully stops a long list of processes and then begins executing encryption operations and removes Volume Shadow Copy backups on the victim machine.

“While some of the referenced processes appear to relate to security or management software (e.g., Qihoo 360 Safeguard and Microsoft System Center), the majority of the listed processes concern databases (e.g., Microsoft SQL Server), data backup solutions (e.g., IBM Tivoli), or ICS-related processes,” Dragos researchers noted.

“ICS products referenced include numerous references to GE’s Proficy data historian, with both client and server processes included. Additional ICS-specific functionality referenced includes GE Fanuc licensing server services and Honeywell’s HMIWeb application. Remaining ICS-related items consist of remote monitoring (e.g., historian-like) or licensing server instance such as FLEXNet and Sentinel HASP license managers and ThingWorx Industrial Connectivity Suite.”

EKANS isn’t capable of injecting commands into or manipulating ICS-related processes, so its destructive capabilities are limited to making administrators lose view of what’s happening with control systems and on the network. How much this will impact the actual industrial environment will depend on its specific setup, configurations, process links, etc.

According to Dragos researchers, the malware is incapable of spreading by itself and relies on the attackers to launch it either interactively or via script.

It’s also less disruptive than most ransomware, as “user access to the encrypted system is maintained throughout the process, and the system does not reboot, shutdown, or close remote access channels.”

Who’s using it?

While Otorio researchers believe the malware to be wielded by Iran-sponsored attackers but, according to Dragos adversary hunter Joe Slowik, the evidence for this claim is not strong nor compelling.

On the other hand, it seems that EKANS has similarities with version 2 of the MegaCortex ransomware, which also sports a process “kill list” containing – among others – the processes EKANS stops.

“Based on this information, it appears EKANS is not unique, or at least not first, in targeting ICS-related processes,” Dragos researchers noted.

The MegaCortex ransomware has been used to target large corporate networks and workstations in the United States, Canada and parts of Europe.

Dragos researchers did not offer an opinion of who might be deploying EKANS.