Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

EKANS Ransomware Raises Industrial-Control Worries

Although the ransomware is unsophisticated, the malware does show that some crypto-attackers are targeting certain industrial control products.

A fairly unsophisticated ransomware attack has raised a few eyebrows among security researchers for its ability to force computers to stop specific activities, or processes, related to industrial control systems, critical-infrastructure security firm Dragos stated in a report published on February 3.

In the past, ransomware has generally caused disruption in industrial control system (ICS) environments as a side effect of the malware's destructive activity — encrypting data would cause some software to fail, causing outages. Although a relatively primitive attack, the EKANS ransomware actively targets certain products common in ICS environments, says Joe Slowik, an adversary hunter with Dragos.

However, the program does not seem to be a significant danger at this point, he says. "It is certainly nothing to dismiss; it can still be disrupted to industrial operations, but it is important to note that the ransomware does not have the ability to modify, manipulate, or otherwise change process logic, which is where we get into the really concerning events," Slowik says.

The ransomware targets processes started as part of GE's Proficy data historian, which records events and the status of devices on the network, GE Fanuc licensing server services, and Honeywell's HMIWeb application, Dragos stated in the report. The targeting of ICS processes puts EKANS in the same category as the MegaCortex ransomware, which has successfully infected companies' systems and demanded ransoms ranging from $20,000 to $5.8 million.

"[T]he specificity of processes listed in a static 'kill list' shows a level of intentionality previously absent from ransomware targeting the industrial space," the Dragos report stated. "ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics."

The tactic of stopping processes is common among malware. Many programs will attempt to stop antivirus as a first step in infecting a system. EKANS has a static kill list of 64 different processes that it attempts to halt, but MegaCortex has its own, much larger, list of 1,000 processes. 

Dragos argues that the two programs could be related. However, EKANS is much less of a threat then MegaCortex.

"While killing the historian processes is certainly inconvenient and not a good thing, it certainly not something that will shut a plant down," Slowik says. "It will make operations more difficult."

Killing the other services could lead to more disruption. This is ICS-aware malware, he says, it represents a fairly primitive form of intrusion.

The existence of an e-mail addresses that contains the string "bapco" has led some researchers to speculate that EKANS, which others call Snake, is related to the Dustman attack in December that reportedly infected Bahrain's national oil company, also known as Bapco.

Yet, Slowik remains unconvinced.

"While the email address is provocative in light of this news, the EKANS sample appears unrelated to the Dustman event," he stated in the report. "One possibility is that EKANS was in fact used at Bapco in an incident prior to Dustman, while another is that current public reporting is confusing the Dustman incident — which all available information indicates is focused on Saudi Arabia — with a widespread and potentially disruptive ransomware event at Bapco occurring around the same time."

So, who wrote this program? Slowik is not so sure.

"It is an open question," he says. "There have been reports that this is an Iranian operation, but that is a bit of a stretch."

In the past, the level of attention that attacking a utility or industrial facility would have attracted to the perpetrator kept many attackers too concerned about consequences to target such facilities. Yet EKANS demonstrates that ICS asset owners need to have visibility into the state of their infrastructure, Slowik says.

"Organizations need to adjust their risk profile appropriately [and acknowledge] that their risk does not stop at state-sponsored entities or the random worm-able infection," Slowik says. "It seems increasingly that threat actors, whether they be criminals or otherwise, are more willing to operate in these areas, risks be damned."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "AppSec Concerns Drove 61% of Businesses to Change Applications."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8423
PUBLISHED: 2020-04-02
A buffer overflow in the httpd daemon on TP-Link TL-WR841N V10 (firmware version 3.16.9) devices allows an authenticated remote attacker to execute arbitrary code via a GET request to the page for the configuration of the Wi-Fi network.
CVE-2019-14868
PUBLISHED: 2020-04-02
In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those env...
CVE-2019-20635
PUBLISHED: 2020-04-02
codeBeamer before 9.5.0-RC3 does not properly restrict the ability to execute custom Java code and access the Java class loader via computed fields.
CVE-2020-11452
PUBLISHED: 2020-04-02
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the f...
CVE-2020-11453
PUBLISHED: 2020-04-02
Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it ...