New EKANS ransomware targets industrial control systems
As reported by Dragos and Sentinel One, a new type of software that encrypts data on infected computers – a.k.a. ransomware – has emerged. It is called EKANS.
What is EKANS ransomware?
EKANS was first detected in mid-December 2019. On the one hand, researchers say this software is relatively simple: It encrypts data and displays a typical ransom demand in exchange for decrypting data. On the other hand, EKANS has the ability to independently terminate selected running processes, i.e. applications, on infected computers. It is characterized by the fact that the list of “killed” processes includes those related to industrial control systems (ICS), such as GE Proficy, ThingWorx, and Honeywell HMI, as well as those related to IoT systems. The selection of these processes indicates that ICSs may be the primary target for EKANS.
Although EKANS may seem simple in comparison with other malicious software developed in order to sabotage industrial systems (one need only remember the famous Stuxnet or BlackEnergy), encrypting computers such as those used to monitor production or transmission lines and thus disconnecting them from the industrial process may have potentially very dangerous consequences.
According to Dragos experts, EKANS shows a similarity to the earlier Megacortex ransomware, which also shut down hundreds of processes on infected computers in spring 2019. Megacortex is credited with successful attacks that led to ransom demands of up to 5.8 million USD.
At the moment, it is not exactly clear who may be responsible for developing EKANS. Among the victims are companies from the fuel sector. The mechanism for the spread of the new ransomware is also unknown. Researchers have not found a built-in automatic propagation mechanism. The malware runs either in interactive mode or through scripts.
Owners and operators of ICS systems are advised to review their infrastructure to check for signs of ransomware infection.
Additionally, as part of prevention, mechanisms can be introduced to prevent new unknown programs from running on computers that run production control systems. At the network level, the transfer of programs can be monitored at the interface of the corporate network and the industrial network to prevent the spread of malware.
As you can see, cybercriminals are increasingly targeting industrial sites. And there's worse news: Living as we are in the era of Industry 4.0 and seeing more and more ICSs connected to the Internet, what used to be completely isolated ICSs can nowadays become very easy targets without proper security. In addition, with constant developments in technology, old Programmable Logic Controllers (PLC) have evolved into modern Programmable Automation Controllers (PAC), running their own operating systems which, like any software, have their own vulnerabilities and bugs. It's not difficult to guess that, at some point, a cyberattack may be directed at the controllers and not the ICS computers. This should already make you aware that, as with protecting computers from malware, it's time to invest in protecting control devices (PAC/PLC) and monitoring industrial networks.