EKANS Ransomware Detected with ICS-Specific Functions

Security researchers are warning of a new ransomware strain containing functionality to target industrial control systems (ICS) — evidence that cyber-criminals are gearing up for more attacks on such environments.

Discovered in mid-December last year, EKANS joins just a handful of similar ICS-specific variants including Havex and CrashOverride, according to security vendor Dragos.

It’s described as relatively straightforward ransomware that encrypts files and displays a ransom note, but the malware differs from most in that it names ICS processes in a static “kill list.” In the past, ransomware that has impacted ICS environments, such as the LockerGaga shutdown of NorskHydro, has been IT-focused and only spread into such systems via enterprise mechanisms, Dragos explained.

Among the ICS products referenced in the code are: GE’s Proficy data historian, GE Fanuc licensing server services, Honeywell’s HMIWeb application and ThingWorx Industrial Connectivity Suite, as well as a range of other remote monitoring and licensing server offerings.

There’s no self-propagation mechanism included in the ransomware, instead it must be launched interactively or via a script once the threat actors behind it have achieved large-scale compromise of a victim organization, such as via Active Directory.

Although primitive, EKANS presents “specific and unique risks and cost-imposition scenarios for industrial environments,” warned Dragos.

“EKANS (and its likely predecessor MegaCortex) represent an adversary evolution to hold control system environments specifically at risk. As such, EKANS despite its limited functionality and nature represents a relatively new and deeply concerning evolution in ICS-targeting malware” the firm concluded.

“Whereas previously ICS-specific or ICS-related malware was solely the playground of state-sponsored entities, EKANS appears to indicate non-state elements pursuing financial gain are now involved in this space as well, even if only at a very primitive level.”

However, not all experts agree. Emsisoft threat analyst, Brett Callow, argued that the ransomware isn’t designed to target ICS environments specifically.

“The most likely reason for it stopping ICS processes is simply so that the files used by those processes can be encrypted. In-use files cannot be encrypted, which is why ransomware typically tries to stop a multitude of processes,” he explained.

“Additionally, there’s no reason to believe that EKANS was developed to target a specific company or industry. Nor is it running rampant: there have been a grand total of five submissions to ID Ransomware.”

What’s Hot on Infosecurity Magazine?