EKANS Ransomware Has Direct Implications for ICS Operations, and It May Not Be the First

Until mid-2019, previous ICS-impacting ransomware had been limited to only IT-based mechanisms that enabled the propagation into control system environments. ICS cybersecurity firm Dragos assesses the newly disclosed EKANS ransomware (also reported as SNAKE) is not the first sample with direct ICS-impacting implications. Dragos believes EKANS is not new ransomware as previously suggested, but instead represents an obfuscated, hardened ransomware variant based on MEGACORTEX version 2 behavior identified in mid-2019 by cybersecurity firm Accenture. Dragos also points out that EKANS (and its presumed parent MEGACORTEX variant) represent a notable shift in the specific risk to industrial operations not previously observed in ransomware. As originally reported in the Security & Resilience Update for January 28, 2020, EKANS does have a mechanism for terminating various ICS-related processes on victim machines. However, EKANS is not currently capable of self-propagation or further manipulating or injecting commands into the named ICS-related processes, thus limiting its destructive capabilities. Nonetheless, with the inclusion of HMI software, historian clients, and additional items, EKANS indicates at least a minimal awareness of control system environment processes and functionality, and a deeply concerning evolution in ICS-targeting malware. Read the report at Dragos