New ransomware is targeting Windows industrial control systems

Ekans Ransomware

Details of new ransomware have emerged. Dragos has published a report detailing Ekans, ransomware which targets industrial control systems (ICS)

Ekans ransomware emerged in December last year and was immediately reported on by Dragos. The leading ICS cybersecurity firm then published a report in January 2020 to their WorldView Threat Intelligence customers detailing the threat.

The report says that, while it is relatively straightforward ransomware to deal with, it does contain additional functionality which grants Ekans the ability to forcibly stop processes in ICS operations. This could be potentially damning to organisations using IIoT at scale.

Perhaps most troublingly, Dragos found a level of intentionality in the ransomware, something which had more often than not been absent from targets in industrial sectors.

Rob Fitzsimons, a field applications engineer at Telesoft Technologies, said: “The Ekans ransomware is another unmissable milestone in the world of malware. Targeting Windows systems used within industrial control systems, it shows that the cybercriminals are moving away from the ‘spray and pray’ tactic, instead putting laser focus on organisations that have a critical role in the nation’s infrastructure. This is concerning, as it means attackers are investing more time and resources into breaching the defences of a few companies, akin to state-sponsored attacks, which makes them more likely to succeed.”

READ MORE: Users vulnerable as Windows 7 support ends

The malware acts by first checking for the existence of a specific value, before determining its encryption. Before file encryption operations, Ekans force stops (or ‘kills’) processes. This forcible stop, if executed on the right systems, can cause loss of view across the network, ultimately leading to disastrous consequences.

“While still not overly clear how Ekans is distributed, it’s thought that attackers need to access networks before it can be deployed,” said Fitzsimons. “As such, combatting this type of malware requires complete visibility into an organisation’s data flow, as well as a trained human firewall that understands how cybercriminals can attempt to manipulate them into downloading files and clicking on links. A few days ago, it was reported that the Emotet trojan was spreading through Japan within emails containing false news about the Coronavirus infecting citizens quickly and the ‘urgent’ steps to take – cybercriminals really will stoop to any level to get into networks. When employees know that any link could result in malware, it may make them stop and think for that split second longer and delete.”

Dragos urge ICS owners and operators to review their attack surface in order to combat disruptive malware or ransomware which may find its way into ICS operations.

Read the full report here.

Luke Conrad

Technology & Marketing Enthusiast