Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development , Ransomware

New Ransomware Targets Industrial Controls: Report

Dragos Researchers Describe Potential Threat Posed by Ekans Ransomware
New Ransomware Targets Industrial Controls: Report

Ekans, a recently discovered ransomware variant that’s designed to target industrial control systems, appears to have some of the same characteristics found in Megacortex, malware that struck several high-profile targets in 2019, according to the security firm Dragos.

See Also: Live Webinar | Adversary Analysis of Ransomware Trends

Ekans, also known as Snake, appears to be designed to target the software used to run large-scale industrial facilities, Dragos says in a report issued Monday.

Dragos analysts believe that Eknas likely was created by cybercriminals with the intent of extorting ransom from victims (see: Hackers Increasingly Probe North American Power Grid).

"While Dragos cannot completely rule out the possibility of state-sponsored use, available evidence more strongly links this to non-state actors, including criminal entities," Joe Slowik, adversary hunter with Dragos, tells Information Security Media Group. "As a result, this could be sold in criminal or related markets for use by other entities, as observed in other ransomware families."

Security researchers first spotted Eknas in December 2019. But Slowik notes that, so far, Dragos has not confirmed that any organizations have been hit with an Eknas-fueled attack. Much of Dragos’ research is based on samples taken from unspecified "commercial malware repositories."

It's also not clear whether the developers behind Eknas plan to target a region or specific organizations that use industrial controls systems, such as oil and gas firms, electric utilities or manufacturing facilities, according to the Dragos report.

Target: ICS

Ekans appears to have been developed using the Go or Golang programming language, the researchers say. It’s designed to work much like other ransomware with the ability to encrypt files and data and deliver a ransom note to the targeted organization, according to the report.

What makes Ekans unique, however, is that it focuses on industrial control systems, including those designed by GE and Honeywell, the researchers say.

In most ransomware attacks, a Windows-based device within the main IT infrastructure is targeted, and the malware can potentially spread to industrial control systems, according to Dragos.

Ekans ransom note (Source: Dragos)

Ekans, however, apparently is designed to be used to target Windows-based devices as well as industrial control systems, the Dragos researchers say. Its code lists about 60 industrial processes that the ransomware will attempt to halt or kill if the infection is successful, according to the report.

"The ransomware will execute on and encrypt any Windows system, but contains the additional functionality of stopping certain GE and Honeywell related processes if they are present on the host," Slowik says.

Ekans’ ability to encrypt and close down industrial control systems potentially could cause organizationwide power outages and other serious issues, the Dragos report says.

"The specificity of processes listed in a static 'kill list' shows a level of intentionality previously absent from ransomware targeting the industrial space," the report states.

Dragos researchers warn that the owners and operators of industrial controls systems should take the time now to review their infrastructure before Ekans-based attacks spread.

Dragos researchers also note that Ekans apparently is not designed to self-propagate through a network, which means that the attackers must plant the ransomware within the network either interactively or through a script. This means that organizations would be specifically targeted by attacks.

"Ekans follows a trend observed in other ransomware families, such as Ryuk and Megacortex, among others, where self-propagation is avoided in favor of performing large-scale compromise of an enterprise network," according to the report.

Once the Ekans ransomware has infected the targeted systems, files would be encrypted using a random, five-letter character extension, and a ransom note would then be delivered to the victime, according to the report.

And while other researchers have studied Ekans or Snake, not all are convinced that it's specifically targeting industrial control systems. Brett Callow, a threat analyst with security firm Emsisoft, notes that while ransomware does evolve over time, such as moving from encryption-only attacks to encryption plus exfiltration attacks, this does not mean that cybercriminals have turned their attention to targeting these types of victims.

"The most likely reason for it stopping [industrial control system] processes is simply so that the files used by those processes can be encrypted. In-use files cannot be encrypted, which is why ransomware typically tries to stop a multitude of processes," Callow says adding that his firm's analysis has only seen about five samples of this ransomware so far.

Connection to Megacortex?

Dragos researchers offer some details about the apparent relationship between this ransomware and Megacortex, which was used in some high-profile attacks in 2019 (see: MegaCortex Ransomware Demands Millions From Victims).

In July 2019, Megacortex struck online cloud hosting provider iNSYNQ, according to news reports. And while it's not been proven, some security experts say that accounting software giant Wolters Kluwer was also a victim of this crypto-locking malware (see: Ransomware Attackers May Lurk for Months, FBI Warns).

Dragos notes that many of the 60 industrial systems on the Ekans kill list are the same as those that Megacortex targets.

"Dragos is not certain the relationship between the two at this time," Slowik says, adding that the process kill list embedded in the Ekans code is similar to the target list associated with MegaCortex that Accenture researchers identified in 2019.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.