A threat intelligence report from security firm Dragos recently uncovered “EKANS” ransomware targeting industrial control systems (ICS). Researchers said EKANS is the first kind of file-encrypting malware intended to infect the network systems that control operations in manufacturing environments.
While investigating EKANS, researchers found a list of command processes linked to ICS operations. It’s said that EKANS ransomware was designed to disrupt the ICS processes on victims’ devices. Attackers deploy the ransomware to compromise the targeted devices and encrypt the data, while victims are presented with a note asking for ransom.
EKANS is SNAKE Spelled Backwards
Dragos stated that EKANS, spelled backwards as SNAKE, initially emerged in December 2019 and targeted Windows systems that are used in industrial environments. Explaining the similarities between EKANS and SNAKE ransomware, Dragos said, “Although referred to as both SNAKE and EKANS in public reporting, Dragos will refer to this malware as EKANS due to the existence of other malware previously discovered and labeled as “Snake” and attributed to the Turla threat actor. Any further or future reference to “Snake” by Dragos will refer to Turla-associated activity, while the ransomware variant under discussion will be referenced as EKANS.”
EKANS vs Megacortex Ransomware
Dragos’ report also discovered the relation between EKANS and Megacortex ransomware, which was discovered in January 2019 and is considered a major threat. According to the report findings, Megacortex ransomware poses similar ICS processes.
“While the list of processes targeted in EKANS is relatively short and focused (64 total items), the newer version of MEGACORTEX contains over 1,000 referenced items. The vast majority of the processes listed relate to security solutions or similar tools. However, all of the items referenced in the EKANS ICS list are also present in the MEGACORTEX list, and no additional items are present in the MEGACORTEX list with ICS significance. Based on this information, it appears EKANS is not unique, or at least not first, in targeting ICS-related processes,” the report stated.