CRUDE BUT CONCERNING –
Ekans represents a “new and deeply concerning” evolution in malware targeting control systems.
Industroyer, Trisis, and the other examples contained code that surgically and painstakingly tampered with, mapped, or dismantled certain highly sensitive functions inside the critical infrastructure sites they targeted. Ekans and MegaCortex, by contrast, simply kill processes spawned by ICS software. It remains unclear precisely what effect the killing of those processes would have on the safety of operations inside infected facilities.
Another reason Dragos considers Ekans to be a “relatively primitive attack” is that the ransomware has no mechanism to spread. That makes Ekans much less of a threat than ransomware such as Ryuk, which quietly collects credentials for months on infected systems so it can eventually proliferate widely through almost all parts of a targeted network.
Monday’s post also challenged recent reporting. that Ekans, which also goes by the name Snake, was created by Iran . The report, which was based on research findings from security firm Otorio , cited similarities to previously known Iranian malware and operations. Dragos researchers said that the firm “finds any such link to be incredibly tenuous based upon available evidence.”
Despite the lack of sophistication and no established links to nation states, Ekans warrants serious attention by organizations with ICS operations. “While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static ‘kill list’ shows a level of intentionality previously absent from ransomware targeting the industrial space, “Dragos researchers wrote. “ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.”
GIPHY App Key not set. Please check settings