EKANS Ransomware Raises Industrial-Control Worries

  /     /     /  
Publicated : 23/11/2024   Category : security


EKANS Ransomware Raises Industrial-Control Worries


Although the ransomware is unsophisticated, the malware does show that some crypto-attackers are targeting certain industrial control products.



A fairly unsophisticated ransomware attack has raised a few eyebrows among security researchers for its ability to force computers to stop specific activities, or processes, related to industrial control systems, critical-infrastructure security firm Dragos stated in a report published on February 3.
In the past, ransomware has generally caused disruption in industrial control system (ICS) environments as a side effect of the malwares destructive activity — encrypting data would cause some software to fail, causing outages. Although a relatively primitive attack, the EKANS ransomware actively targets certain products common in ICS environments, says Joe Slowik, an adversary hunter with Dragos.
However, the program does not seem to be a significant danger at this point, he says. It is certainly nothing to dismiss; it can still be disrupted to industrial operations, but it is important to note that the ransomware does not have the ability to modify, manipulate, or otherwise change process logic, which is where we get into the really concerning events, Slowik says.
The ransomware targets processes started as part of GEs Proficy data historian, which records events and the status of devices on the network, GE Fanuc licensing server services, and Honeywells HMIWeb application, Dragos stated in the report. The targeting of ICS processes puts EKANS in the same category as the MegaCortex ransomware, which has successfully infected companies systems and
demanded ransoms ranging from $20,000 to $5.8 million
.
[T]he specificity of processes listed in a static kill list shows a level of intentionality previously absent from ransomware targeting the industrial space,
the Dragos report stated
. ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.
The tactic of stopping processes is common among malware. Many programs will attempt to stop antivirus as a first step in infecting a system. EKANS has a static kill list of 64 different processes that it attempts to halt, but MegaCortex has its own, much larger, list of 1,000 processes. 
Dragos argues that the two programs could be related. However, EKANS is much less of a threat then MegaCortex.
While killing the historian processes is certainly inconvenient and not a good thing, it certainly not something that will shut a plant down, Slowik says. It will make operations more difficult.
Killing the other services could lead to more disruption. This is ICS-aware malware, he says, it represents a fairly primitive form of intrusion.
The existence of an e-mail addresses that contains the string bapco has led some researchers to speculate that EKANS, which others call Snake, is related to the Dustman attack in December that reportedly
infected Bahrains national oil company, also known as Bapco
.
Yet, Slowik remains unconvinced.
While the email address is provocative in light of this news, the EKANS sample appears unrelated to the Dustman event, he stated in the report. One possibility is that EKANS was in fact used at Bapco in an incident prior to Dustman, while another is that current public reporting is confusing the Dustman incident — which all available information indicates is focused on Saudi Arabia — with a widespread and potentially disruptive ransomware event at Bapco occurring around the same time.
So, who wrote this program? Slowik is not so sure.
It is an open question, he says. There have been reports that this is an Iranian operation, but that is a bit of a stretch.
In the past, the level of attention that attacking a utility or industrial facility would have attracted to the perpetrator kept many attackers too concerned about consequences to target such facilities. Yet EKANS demonstrates that ICS asset owners need to have visibility into the state of their infrastructure, Slowik says.
Organizations need to adjust their risk profile appropriately [and acknowledge] that their risk does not stop at state-sponsored entities or the random worm-able infection, Slowik says. It seems increasingly that threat actors, whether they be criminals or otherwise, are more willing to operate in these areas, risks be damned.
Related Content
Dustman Attack Underscores Irans Cyber Capabilities
Attackers Increase Focus on North American Electric Utilities: Report
Ransomware Used in Multimillion-Dollar Attacks Gets More Automated
Widely Known Flaw in Pulse Secure VPN Being Used in Ransomware Attacks
Saudi IT Providers Hit in Cyber Espionage Operation
Check out The Edge, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
AppSec Concerns Drove 61% of Businesses to Change Applications
.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
EKANS Ransomware Raises Industrial-Control Worries