In this CBI Security Alert, VP of Systems Engineering Dan Gregory provides his perspective on the EKANS ransomware threat that has been targeting industrial control system environments.
EKANS is an obfuscated ransomware variant targeting industrial control system (ICS) environments. First detected in mid-December 2019, EKANS represents an evolution in malware/ransomware designed to target control system environments. EKANS joins a handful of similar ICS-specific ransomware variants including Havex and CrashOverride, with the security community generally identifying MegaCortex as its predecessor.
To date, EKANS has successfully infected a number of companies, typically demanding ransoms ranging from $20,000 to $5.8 million.
Industrial Control Systems (“ICS”) environments typically have computers running traditional Microsoft Windows operating systems. These assets control the physical manufacturing systems (PLC’s, assembly lines, presses, CNC machines, robot’s, etc.) that produce parts or finished products.
The first thing EKANS does when loaded on one of these systems is to check for the “EKANS” Mutex value on a victim’s machine. A Mutex value allows multiple program threads to share the same resources, such as file access, but not simultaneously. If it uncovers this value, the threat ceases its activity. Otherwise, it sets the Mutex value and then kills several processes associated with specific ICS operations.
At this time it is believed EKANS has a static kill list of 64 different processes that it attempts to halt. If it is successful in killing these processes, it can then proceed with its file encryption process before dropping its ransom note.
Files are renamed after encryption by appending a random five character (upper- and lower-case letters) to the original file extension. At this time the security community believe most variants of EKANS lack the programming needed to reboot or shut down the system or to close remote access channels.
Unlike MegaCortex, EKANS does not seem to have a self-propagating mechanism. However, EKANS does seem to spread using scripts or an Active Directory compromise. This technique has enabled EKANS to perpetrate a large-scale compromise of an enterprise’s network.
EKANS appears to be designed to exploit a list of very unique vulnerabilities within a subset of ICS manufacturers equipment. Namely:
Despite its limited functionality and nature, EKANS can possess a new evolution in ICS-targeting malware.
Organizations should look for the existence of an e-mail addresses that contains the string “Bapco”. Researchers believe EKANS (Snake spelled backwards) is related to the Dustman attack in December that reportedly infected Bahrain’s national oil company, also known as Bapco.
At this time, EKANS does not seem to have the ability to modify, manipulate or otherwise change process logic. EKANS has the following technical characteristics:
After encrypting your files, the following note is posted when attempting to access them:
What happened to your files?
We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more – all were encrypted using a military grade encryption algorithm (AES-256 and RSA-2048). You canned access those files right now. But don’t worry! You can still get those files back and be up and running in no time.
How to contact us to get your files back?
The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network. Once run on an effected computer, the tool will decrypt all encrypted files – and you can resume day-to-day operations, preferably with better cyber security in mind. If you ware interested in purchasing the decryption tool contact us at email@example.com
How can you be certain we have the decryption tool?
In your mail to us attach up to 3 files *up to 3MB, no databases or spreadsheet(s).
We will send them back to you decrypted.
Here is a list of our top 10 proactive steps you can take to prevent or mitigate damage from an EKANS ransomware attack.
Please feel free to contact us if you are concerned about this particular piece of ransomware or you would like to discuss these recommendations with an operational security expert.