You say “SNAKE,” I say “EKANS” – The Misgivings of Malware Naming and Agitation of Attribution

Researchers have the right to dub malware findings whatever they want, but in doing so it seems prudent to avoid possible confusion with previous activity similarly named. For instance, ICS cybersecurity firm Dragos aptly points out the ransomware variant originally dubbed “SNAKE” and “EKANS” has recently resulted in multiple outlets ill-advisedly linking this relatively new ransomware activity to an old group of the same name (a.k.a., Turla, Venomous Bear, Waterbug, etc.) – see MITRE ATT&CK for more information on the state-sponsored cyberespionage group Turla). Thus far there has been insufficient evidence to attribute this ransomware as added activity to the old group known for its state-sponsored cyberespionage. According to Dragos, all available evidence at present indicates EKANS is likely criminal activity designed for monetization, and not a state-sponsored, disruptive campaign masquerading as ransomware. Therefore, to avoid further confusion and misappropriate attribution, Dragos refers to the ransomware variant exclusively as EKANS. However, despite EKANS’ likely link to criminally-motivated actions, it represents a very real and present threat for ICS operations in continued evolution by multiple ransomware entities toward targeting high-profile industrial and critical infrastructure entities. And while EKANS has yet to demonstrate the capability to manipulate industrial processes akin to Stuxnet, CRASHOVERRIDE, or TRISIS, its behavior/basic functionality to terminate them could prove devastating if performed at the wrong time. Regardless of malware naming, behavior, or group attribution, one thing remains true, “malicious entities continue to refine their operations to target entities ranging from manufacturers through critical infrastructure providers, such as power and water utility companies.” To clarify confusion between SNAKE and EKANS, read the post at Dragos