Expert Blog

New EKANS ransomware targets industrial control systems

A new type of ransomware has emerged

As reported by Dragos and Sentinel One, a new type of software that encrypts data on infected computers – a.k.a. ransomware – has emerged. It is called EKANS.

What is EKANS ransomware?

EKANS was first detected in mid December 2019. On the one hand, researchers say this software is relatively simple: It encrypts data and displays a typical ransom demand in exchange for decrypting data. On the other hand, EKANS has the ability to independently terminate selected running processes, i.e. applications, on infected computers. It is characterized by the fact that the list of “killed” processes includes those related to industrial control systems (ICS), such as GE Proficy, ThingWorx, and Honeywell HMI, as well as those related to IoT systems. The selection of these processes indicates that ICSs may be the primary target for EKANS.
Although EKANS may seem simple in comparison with other malicious software developed in order to sabotage industrial systems (one need only remember the famous Stuxnet or BlackEnergy), encrypting computers such as those used to monitor production or transmission lines and thus disconnecting them from the industrial process may have potentially very dangerous consequences.

According to Dragos experts, EKANS shows a similarity to the earlier Megacortex ransomware, which also shut down hundreds of processes on infected computers in spring 2019. Megacortex is credited with successful attacks that led to ransom demands of up to 5.8 million USD.

At the moment, it is not exactly clear who may be responsible for developing EKANS. Among the victims are companies from the fuel sector. The mechanism for the spread of the new ransomware is also unknown. Researchers have not found a built-in automatic propagation mechanism. The malware runs either in interactive mode or through scripts.

Owners and operators of ICS systems are advised to review their infrastructure to check for signs of the ransomware infection.

Additionally, as part of prevention, mechanisms can be introduced to prevent new unknown programs from running on computers that run production control systems. At the network level, the transfer of programs can be monitored at the interface of the corporate network and the industrial network to prevent the spread of malware.

As you can see, cybercriminals are increasingly targeting industrial sites. And there's worse news: Living as we are in the era of Industry 4.0 and seeing more and more ICSs connected to the Internet, what used to be completely isolated ICSs can nowadays become very easy targets without proper security. In addition, with constant developments in technology, old Programmable Logic Controllers (PLC) have evolved into modern Programmable Automation Controllers (PAC), running their own operating systems which, like any software, have their own vulnerabilities and bugs. It's not difficult to guess that, at some point, a cyberattack may be directed at the controllers and not the ICS computers. This should already make you aware that, as with protecting computers from malware, it's time to invest in protecting control devices (PAC/PLC) and monitoring industrial networks.

Mateusz Stojek and Mirosław Szymczak - February 11 2020

Expert Blog

Do you want to learn more about this subject, or do you have specific questions? Don't hesitate and reach out! Speak with a solutions expert or architect. Give us a call or leave a message. Our team of technical experts are ready for your inquiries.

Mateusz Stojek
OT Security Expert, Infradata

Expert Blog

Do you want to learn more about this subject, or do you have specific questions? Don't hesitate and reach out! Speak with a solutions expert or architect. Give us a call or leave a message. Our team of technical experts are ready for your inquiries.

Mirosław Szymczak
Expert, Infradata

Share this page:

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here.