Blog

EKANS: Windows ransomware gets ICS and OT sharps

David Wolf | February 4, 2020

As cybercriminal sophistication continues to grow, tools and techniques used to exploit ICS and OT are extending to new targets like the Honeywell, Thingworx, and GE targets of EKANS, a new Windows ransomware with ICS-specific targets.

Attribution is challenging, but if it proves true that the technical advances are made by cybercriminals instead of state-sponsored threat actors, then the cybercriminal level-up is bad news for industrial and operational technology (OT) operators everywhere.

Discovered by MalwareHunterTeam and described by researcher Vitali Kremez in January in Bleeping Computer, EKANS will “kill numerous processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and more.”

The EKANS ransomware is similar to MegaCortex as researched and described by Accenture iDefense­ in August 2019. EKANS (previously called Snake) should not be confused with the Snake ransomware of the Russian APT Turla group.

What do we expect?

As the phenomenon of IT/OT convergence continues, the consideration of OT system criticality will continue to influence and change the perception, appetite and response to classic, Windows-focused IT risk.

Although EKANS itself may not be as much of a threat as MegaCortex, which covers a much broader attack surface, it could represent a major milestone for cybercriminals and foretell a more challenging future for ICS and OT operators who need to implement extensive, granular, risk-based controls—including device visibility and control solutions that address IoT and OT risk, NAC, and advanced network segmentation.

  1. https://www.wired.com/story/ekans-ransomware-industrial-control-systems
  2. https://twitter.com/malwrhunterteam
  3. https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/
  4. https://www.accenture.com/us-en/blogs/blogs-megacortex-business-disruption
  5. https://attack.mitre.org/groups/G0010/