Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

EKANS Ransomware Raises Industrial-Control Worries

Although the ransomware is unsophisticated, the malware does show that some crypto-attackers are targeting certain industrial control products.

A fairly unsophisticated ransomware attack has raised a few eyebrows among security researchers for its ability to force computers to stop specific activities, or processes, related to industrial control systems, critical-infrastructure security firm Dragos stated in a report published on February 3.

In the past, ransomware has generally caused disruption in industrial control system (ICS) environments as a side effect of the malware's destructive activity — encrypting data would cause some software to fail, causing outages. Although a relatively primitive attack, the EKANS ransomware actively targets certain products common in ICS environments, says Joe Slowik, an adversary hunter with Dragos.

However, the program does not seem to be a significant danger at this point, he says. "It is certainly nothing to dismiss; it can still be disrupted to industrial operations, but it is important to note that the ransomware does not have the ability to modify, manipulate, or otherwise change process logic, which is where we get into the really concerning events," Slowik says.

The ransomware targets processes started as part of GE's Proficy data historian, which records events and the status of devices on the network, GE Fanuc licensing server services, and Honeywell's HMIWeb application, Dragos stated in the report. The targeting of ICS processes puts EKANS in the same category as the MegaCortex ransomware, which has successfully infected companies' systems and demanded ransoms ranging from $20,000 to $5.8 million.

"[T]he specificity of processes listed in a static 'kill list' shows a level of intentionality previously absent from ransomware targeting the industrial space," the Dragos report stated. "ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics."

The tactic of stopping processes is common among malware. Many programs will attempt to stop antivirus as a first step in infecting a system. EKANS has a static kill list of 64 different processes that it attempts to halt, but MegaCortex has its own, much larger, list of 1,000 processes. 

Dragos argues that the two programs could be related. However, EKANS is much less of a threat then MegaCortex.

"While killing the historian processes is certainly inconvenient and not a good thing, it certainly not something that will shut a plant down," Slowik says. "It will make operations more difficult."

Killing the other services could lead to more disruption. This is ICS-aware malware, he says, it represents a fairly primitive form of intrusion.

The existence of an e-mail addresses that contains the string "bapco" has led some researchers to speculate that EKANS, which others call Snake, is related to the Dustman attack in December that reportedly infected Bahrain's national oil company, also known as Bapco.

Yet, Slowik remains unconvinced.

"While the email address is provocative in light of this news, the EKANS sample appears unrelated to the Dustman event," he stated in the report. "One possibility is that EKANS was in fact used at Bapco in an incident prior to Dustman, while another is that current public reporting is confusing the Dustman incident — which all available information indicates is focused on Saudi Arabia — with a widespread and potentially disruptive ransomware event at Bapco occurring around the same time."

So, who wrote this program? Slowik is not so sure.

"It is an open question," he says. "There have been reports that this is an Iranian operation, but that is a bit of a stretch."

In the past, the level of attention that attacking a utility or industrial facility would have attracted to the perpetrator kept many attackers too concerned about consequences to target such facilities. Yet EKANS demonstrates that ICS asset owners need to have visibility into the state of their infrastructure, Slowik says.

"Organizations need to adjust their risk profile appropriately [and acknowledge] that their risk does not stop at state-sponsored entities or the random worm-able infection," Slowik says. "It seems increasingly that threat actors, whether they be criminals or otherwise, are more willing to operate in these areas, risks be damned."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "AppSec Concerns Drove 61% of Businesses to Change Applications."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5604
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-15073
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-2034
PUBLISHED: 2020-07-08
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...