Since ransomware made a grand return in 2019, the criminals behind it have shown a clear preference for targets that can’t afford to be offline for long. And not just those, like banks and financial institutions, that stand to lose money from downtime; attacks on hospitals and patient care facilities became a definite trend in the previous year. The new EKANS ransomware seeks to do similar real-world damage by shutting down vital systems indefinitely, but this time it targets industrial control systems (ICS).
Why industrial control systems?
Industrial control systems are the computer networks that interface with the heavy equipment in places like power plants, factories and refineries. There have been attacks on these systems in the past, but they have been relatively few and far between. These attacks have also tended to be the sole province of nation-states looking to cause some sort of physical damage to each other, the most famous example being the 2012 Stuxnet attack on Iran’s uranium enrichment facilities.
Industrial control systems have typically had little to offer cyber criminals simply looking to make money, and information about their inner workings tends to be harder to come by. For example, an expert interviewed by Wired estimated that Stuxnet would have taken “months to years” for a team with nation-state resources backing them to create. For cyber criminal groups with more modest resources available to them, there has been plenty of lower-hanging fruit to go after.
This is what makes the EKANS ransomware unique, and a pioneering new development (and potential sea change) in the cybercrime world. The ransomware targets 64 different software processes that are unique to and common on industrial controls systems. However, it is thought to not originate from state actors given its relative crudeness and the ransom demands.
How the EKANS ransomware works
This is not the first time that criminals have tried industrial facilities as targets for ransomware, but previous incidents simply used a more standard ransomware variant to try to shut down regular PCs that were part of the system (for example, the LockerGoga attacks seen early last year). The EKANS ransomware, which was first observed in December 2019, is the first for-profit strain designed to shut down specific processes known to be used in industrial control systems made by GE and other major manufacturers.
In addition to shutting down these processes, the EKANS ransomware encrypts data and leaves a ransom note. Researchers with security firms Sentinel One and Dragos have traced the development and deployment of EKANS to a precursor called Megacortex, a strain of ransomware that appeared last year and was aimed at a broader variety of enterprise-scale businesses. Sentinel One tracked the origins of the ransomware to the United Kingdom, based on references in it to the names of some shops in Sunderland. Researchers with Sophos believe that the Megacortex ransomware authors are connected to whoever created the Reitspoof malware family that appeared in early 2019 and primarily spread through Skype spam.
As the identity of the authors of any of these strains has yet to be confirmed, it is possible that the EKANS ransomware could be a ploy by a state sponsored actor to cover the tracks of infrastructure probing and espionage. However, industrial control systems do make sense as a target for cyber criminals seeking financial gain. At the very least, these organizations would likely find a modest ransom demand to be much more affordable than extended downtime. It is also possible that very expensive equipment could be destroyed, or even serious safety hazard conditions created, should the ability to control and monitor equipment be locked out at the wrong moment.
No victims have come forward to confirm that they have been hit by the EKANS ransomware, but Sentinel One is fairly certain that Bahrainian national oil company Bapco was struck. The industrial control systems employed at Bapco are used in manufacturing systems as well as at refineries, so there could be a very broad range of victims and potential targets.
Protection from EKANS
It is not yet known how the EKANS ransomware is being delivered to victims. The security researchers are recommending that these industrial control systems be segmented from the regular Windows systems on the rest of the network whenever possible, as it is assumed that attackers use standard footholds (such as phishing emails) to create their first opening. Regular offline backups that include configuration data are also recommended.
As Tim Erlin, VP of product management and strategy at Tripwire, observed:
“Ransomware, or any malware, can’t just magically appear on your systems. It needs some kind of mechanism for deployment, usually an unpatched vulnerability, misconfiguration or successful phishing. While the evolution of the malware itself is interesting and concerning, any organization with an industrial footprint should focus on defending against these initial intrusion points. Doing the basics well can dramatically reduce the likelihood of a successful ransomware attack.”
A researcher with Dragos described EKANS as being relatively unsophisticated in terms of its ability to control anything on the list of commands. It cannot modify or change process logic, which essentially means that it cannot issue or change commands; it is only able to stop processes and lock users out of the victim computers by way of encrypted files.
Regardless of its threat level to a specific organization, the EKANS ransomware makes clear that industrial environments now have to consider that for-profit criminals have the capability of shutting down targeted processes.
James McQuiggan, Security Awareness Advocate for KnowBe4, provided some detailed parting thoughts on how potentially impacted businesses can prepare themselves:
“Ransomware is continuing its evolution to now impact ICS systems and networks and these additional services are programs needed for the ICS system to operate effectively. With the ransomware programmed to kill those services, this presents a new twist to having the systems made unavailable before the encryption process starts.
“Knowing that ransomware enters a network via an end user clicking on a phishing link through their email system, it is very important for an ICS environment to be configured so that it is not directly connected to the internet. It’s also crucial to ensure that no email clients operate on these systems. It is best practice to make sure that the critical ICS systems are behind multiple levels of firewalls, thus fully utilizing defense in depth. If the ICS systems sit on a flat network, it exponentially increases the risk of it becoming infected, reducing availability and productivity of products or services and potentially damaging the reputation of the organization.
“While focusing on the technology of a product to monitor and detect the malware, it’s critical to consider that organizations should have an engaging and educational security awareness training program to help their operators, employees and executives be aware. They should be educated on current phishing attacks and the steps they need to take to prevent a ransomware attack from launching on their network.”