This is how EKANS ransomware is targeting industrial control systems

New samples of the ransomware reveal the techniques used to attack critical ICS systems.

Microsoft Defender ATP gets new set of firmware-level tools

New samples of the EKANS ransomware have revealed how today's cyberattackers are using a variety of methods to compromise key industrial companies.

In a research report published on Wednesday, FortiGuard Labs researchers Ben Hunter and Fred Gutierrez said that malware designed to attack industrial control systems (ICS) continues to be lucrative for threat actors.

While ransomware only accounted for roughly a third of all malware incidents over 2019 -- according to Verizon's 2020 data breach report -- when applied to core, critical systems, such as utilities and manufacturing, an infection can be devastating, disruptive, and key services may feel incredible pressure to pay a ransom. 

The EKANS ransomware family is one such strain that has been used in targeted ICS campaigns. 

See also: Triton hackers return with new, covert industrial attack

The researchers were able to obtain two modern samples, one from May and another compiled in June, which revealed some interesting features. 

Both Windows-based samples are written in GO, a programming language widely used in the malware development community as it is relatively easy to compile to work on different operating systems.  

To help with analysis, FortiGuard created an EKANS-specific dissembler, discovering that despite a vast number of coding errors in the May version of the ransomware -- over 1200 strings, in fact -- the malware is still able to perform effectively in attacks against ICS systems. 

It appears that EKANS has been designed to deliberately select its victims. The malware will try to confirm its target by resolving the domain belonging to a victim company and comparing this information to IP lists. If the target status is not confirmed, the routine exits. 

Once a target is acquired, the ransomware will scan for domain controllers to compromise. 

Both versions have the functionality of typical ransomware. Once it lands on a vulnerable machine, the malware is able to encrypt files and display a ransom note demanding payment in return for a decryption key which may -- or may not -- restore access to system files. 

However, the June sample goes beyond these features and is capable of high-level functionality that could wreak havoc in an industrial setting, including the ability to turn off host firewalls. 

CNET: Why your privacy could be threatened by a bill to protect children

This new addition to EKANS functionality was not the only improvement. In order to bypass any existing ICS protections, the ransomware will also attempt to turn the firewall off before encryption "probably to detect AVs and other defense solutions by blocking any communication from the agent," the researchers noted. 

EKANS uses RSA encryption to lock up impacted machines and will go on a process killing rampage, terminating any system that could become a barrier to the malware's activities and deleting shadow copies in the process to make it more difficult to recover files.  

Alongside the examination of this interesting ICS malware, FortiGuard also published a guide on what the cybersecurity firm believes are the most current techniques and tactics employed by industrial threat actors. 

TechRepublic: Be prepared: Why you need an incident response policy

These include exploiting remote services, using credential dumps, moving laterally across networks, disabling or modifying cybersecurity tools, impairing defenses by disabling Windows event logs, and group policy modification. 

In March, cybersecurity firm FireEye warned that the development of malware and hacking tools able to target ICS is on the rise, with the majority having been developed in the past decade. The majority of tools analyzed by FireEye are considered vendor-agnostic, but in some cases, software has been designed to compromise ICS setups offered by specific companies. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0