In this CBI Security Alert, VP of Systems Engineering Dan Gregory provides his perspective on the EKANS ransomware threat that has been targeting industrial control system environments.

What is EKANS?

EKANS is an obfuscated ransomware variant targeting industrial control system (ICS) environments. First detected in mid-December 2019, EKANS represents an evolution in malware/ransomware designed to target control system environments. EKANS joins a handful of similar ICS-specific ransomware variants including Havex and CrashOverride, with the security community generally identifying MegaCortex as its predecessor.

To date, EKANS has successfully infected a number of companies, typically demanding ransoms ranging from $20,000 to $5.8 million.

How does EKANS attack ICS environments?

Industrial Control Systems (“ICS”) environments typically have computers running traditional Microsoft Windows operating systems.  These assets control the physical manufacturing systems (PLC’s, assembly lines, presses, CNC machines, robot’s, etc.) that produce parts or finished products.

The first thing EKANS does when loaded on one of these systems is to check for the “EKANS” Mutex value on a victim’s machine. A Mutex value allows multiple program threads to share the same resources, such as file access, but not simultaneously. If it uncovers this value, the threat ceases its activity. Otherwise, it sets the Mutex value and then kills several processes associated with specific ICS operations.

At this time it is believed EKANS has a static kill list of 64 different processes that it attempts to halt. If it is successful in killing these processes, it can then proceed with its file encryption process before dropping its ransom note.

Files are renamed after encryption by appending a random five character (upper- and lower-case letters) to the original file extension.   At this time the security community believe most variants of EKANS lack the programming needed to reboot or shut down the system or to close remote access channels.

Unlike MegaCortex, EKANS does not seem to have a self-propagating mechanism. However, EKANS does seem to spread using scripts or an Active Directory compromise. This technique has enabled EKANS to perpetrate a large-scale compromise of an enterprise’s network.

EKANS appears to be designed to exploit a list of very unique vulnerabilities within a subset of ICS manufacturers equipment. Namely:

• GE’s Proficy data historian
• GE Fanuc licensing server services
• Honeywell’s HMIWeb application
• ThingWorx Industrial Connectivity Suite
• A range of other remote monitoring and licensing server offerings.

Despite its limited functionality and nature, EKANS can possess a new evolution in ICS-targeting malware.

How can I recognize EKANS in my environment?

Organizations should look for the existence of an e-mail addresses that contains the string “Bapco”. Researchers believe EKANS (Snake spelled backwards) is related to the Dustman attack in December that reportedly infected Bahrain’s national oil company, also known as Bapco.

At this time, EKANS does not seem to have the ability to modify, manipulate or otherwise change process logic. EKANS has the following technical characteristics:

• File Name: update.exe
• MD5: 3d1cc4ef33bad0e39c757fce317ef82a
• SHA1: f34e4b7080aa2ee5cfee2dac38ec0c306203b4ac
• SHA256: e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60

After encrypting your files, the following note is posted when attempting to access them:

———————

What happened to your files? 

We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more – all were encrypted using a military grade encryption algorithm (AES-256 and RSA-2048). You canned access those files right now. But don’t worry! You can still get those files back and be up and running in no time. 

How to contact us to get your files back? 

The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network. Once run on an effected computer, the tool will decrypt all encrypted files – and you can resume day-to-day operations, preferably with better cyber security in mind. If you ware interested in purchasing the decryption tool contact us at bapcocrypt@ctemplar.com

How can you be certain we have the decryption tool? 

In your mail to us attach up to 3 files *up to 3MB, no databases or spreadsheet(s). 

We will send them back to you decrypted. 

———————

What does CBI recommend?

Here is a list of our top 10 proactive steps you can take to prevent or mitigate damage from an EKANS ransomware attack.

1. Perform an immediate scan of all endpoints looking for the filename, MD5 and SHA listed above. These scans should ideally include OT assets where applicable.  Do you homework.  Many new MD5 and SHA values are being posted.
2. Immediately run an OT asset visibility and risk assessment, including an accurate inventory of all OT assets.
3. Instruct all responsible personnel to perform OT firmware updates as quickly and efficiently as possible, prioritizing the manufacturers listed above.
4. Produce and maintain a technically accurate OT network map. Identify all assets with direct connection to the Internet and put a plan in place to control, monitor or restrict that traffic when and wherever possible.
5. Implement a next-gen EDR platform with extended OT security capabilities. These solutions should be deployed in OT environments as a high priority with strong considerations for organizational-wide deployment.
6. Scan all emails containing the string “Bapco”.
7. Implement PKI or similar token-based communication when and wherever possible throughout the network.
8. Implement controls in your control system networks to prohibit the execution of unsigned binaries for all sanctioned applications.
9. Leverage your ICS historian operations to identify any potentially disruptive attacks in progress by monitoring your historians network traffic with a capable SIEM platform.  Target cases where multiple endpoints abnormally cease communication and reporting to their assigned historian at approximately the same time.
10. Generate regular backups of important files, ICS configurations, administration and historian systems, and store them in a secure location which is not easily accessible from the internal network or Internet.

Please feel free to contact us if you are concerned about this particular piece of ransomware or you would like to discuss these recommendations with an operational security expert.