Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

EKANS Ransomware Raises Industrial-Control Worries

Although the ransomware is unsophisticated, the malware does show that some crypto-attackers are targeting certain industrial control products.

A fairly unsophisticated ransomware attack has raised a few eyebrows among security researchers for its ability to force computers to stop specific activities, or processes, related to industrial control systems, critical-infrastructure security firm Dragos stated in a report published on February 3.

In the past, ransomware has generally caused disruption in industrial control system (ICS) environments as a side effect of the malware's destructive activity — encrypting data would cause some software to fail, causing outages. Although a relatively primitive attack, the EKANS ransomware actively targets certain products common in ICS environments, says Joe Slowik, an adversary hunter with Dragos.

However, the program does not seem to be a significant danger at this point, he says. "It is certainly nothing to dismiss; it can still be disrupted to industrial operations, but it is important to note that the ransomware does not have the ability to modify, manipulate, or otherwise change process logic, which is where we get into the really concerning events," Slowik says.

The ransomware targets processes started as part of GE's Proficy data historian, which records events and the status of devices on the network, GE Fanuc licensing server services, and Honeywell's HMIWeb application, Dragos stated in the report. The targeting of ICS processes puts EKANS in the same category as the MegaCortex ransomware, which has successfully infected companies' systems and demanded ransoms ranging from $20,000 to $5.8 million.

"[T]he specificity of processes listed in a static 'kill list' shows a level of intentionality previously absent from ransomware targeting the industrial space," the Dragos report stated. "ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics."

The tactic of stopping processes is common among malware. Many programs will attempt to stop antivirus as a first step in infecting a system. EKANS has a static kill list of 64 different processes that it attempts to halt, but MegaCortex has its own, much larger, list of 1,000 processes. 

Dragos argues that the two programs could be related. However, EKANS is much less of a threat then MegaCortex.

"While killing the historian processes is certainly inconvenient and not a good thing, it certainly not something that will shut a plant down," Slowik says. "It will make operations more difficult."

Killing the other services could lead to more disruption. This is ICS-aware malware, he says, it represents a fairly primitive form of intrusion.

The existence of an e-mail addresses that contains the string "bapco" has led some researchers to speculate that EKANS, which others call Snake, is related to the Dustman attack in December that reportedly infected Bahrain's national oil company, also known as Bapco.

Yet, Slowik remains unconvinced.

"While the email address is provocative in light of this news, the EKANS sample appears unrelated to the Dustman event," he stated in the report. "One possibility is that EKANS was in fact used at Bapco in an incident prior to Dustman, while another is that current public reporting is confusing the Dustman incident — which all available information indicates is focused on Saudi Arabia — with a widespread and potentially disruptive ransomware event at Bapco occurring around the same time."

So, who wrote this program? Slowik is not so sure.

"It is an open question," he says. "There have been reports that this is an Iranian operation, but that is a bit of a stretch."

In the past, the level of attention that attacking a utility or industrial facility would have attracted to the perpetrator kept many attackers too concerned about consequences to target such facilities. Yet EKANS demonstrates that ICS asset owners need to have visibility into the state of their infrastructure, Slowik says.

"Organizations need to adjust their risk profile appropriately [and acknowledge] that their risk does not stop at state-sponsored entities or the random worm-able infection," Slowik says. "It seems increasingly that threat actors, whether they be criminals or otherwise, are more willing to operate in these areas, risks be damned."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "AppSec Concerns Drove 61% of Businesses to Change Applications."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36197
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
CVE-2020-36198
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP...
CVE-2021-28799
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
CVE-2021-22155
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
CVE-2021-23134
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.