The EKANS ransomware is the latest incarnation of MEGACORTEX. This is an ICS targeting ransomware which uses WMI attacks to run a 3 point attack. First spotted in the wild on 26th December 2019.
Primarily it will destroy volume shadow copies of data, then it targets security applications to kill the processes. Once these are down it starts toppling processes from the list. Some notable items on this list are Historian, FlexNET Licensing and Sentinel. In this current version, there is no other Wonderware specific products listed in this strain.
How does EKANS attack?
Unlike most typical ransomwares the encryption is not in the usual .ecc file extensions, but a common 3 letter prefix then 5 randomly generated letters. Access to the system, and remote connections aren't affected with EKANS. Current indications show this is more disruptive than the ransomware which affected Norse Hydro.
EKANS has no spreading mechanism inside the code, so infections will be isolated to where the .exe is run. This can potentially be seeded by a script from a network share via deliberate action.
EKANS ransomware is unique as it joins a handful of ICS-specific malware variants, such as Havex and CRASHOVERRIDE, in having specific references to industrial processes. At the same time, EKANS actual implementation of such functionality is extremely primitive with an indeterminate industrial impact.
The evolution of Malware
EKANS malware and its attempt to cease particular industrial-related processes is further evolution and context around the growing cyber threat to industrial control systems, but EKANS itself is more a novelty than a discrete and worrying risk.
Nonetheless, EKANS (and its likely predecessor MEGACORTEX) represent an adversary evolution to hold control system environments specifically at risk. As such, EKANS despite its limited functionality and nature represents a relatively new and concerning evolution in ICS-targeting malware. Whereas previously ICS-specific or ICS-related malware was solely the playground of state-sponsored entities, EKANS appears to indicate non-state elements pursuing financial gain are now involved in this space as well, even if only at a very primitive level.
How can help?
We've been seeing a trend towards malware targeting industrial control systems. So it's certainly something to plan for and mitigate against in new and old systems.
We have a range of cyber security products and solutions available to help our customers to do this, so if you think you might need some help, get in touch.
