Ransomware EKANS targets industrial control systems

The malware works despite numerous programming errors. A new variant not only encrypts files, it also changes the settings of industrial control systems. EKANS is also aimed at certain goals and does not attack victims indiscriminately.

FortiGuard Labs researchers have analyzed EKANS ransomware, which targets industrial control systems. It only affects Windows-based systems and is able to encrypt files. A further developed version has been in circulation since June, which can even switch off the firewalls of infected systems.

Malware (Image: Shutterstock / Blue Island)The first sample that fell into the hands of researchers Ben Hunter and Fred Gutierrez was compiled in May. They found numerous errors in its code – a total of more than 1200 strings. However, they had no influence on the function of the ransomware.

According to your analysis, EKANS selectively targets its victims. The malware tries to resolve the domain of the infected system and compare it with a list of IP addresses. If the destination is not confirmed, the ransomware cancels its routines.

However, if the right target was attacked, the ransomware looks for domain controllers. Finally, it encrypts files and also displays a ransom note. It is not known whether the backers actually provide a decryption key after payment has been made or whether it works.

The second pattern, compiled in June, offers additional features. It is apparently able to change the settings of the industrial control system. Among other things, a firewall can be switched off. The researchers suspect that security applications and other protective measures should be identified and blocked in this way.

EKANS makes files unusable with RSA encryption. In addition, the ransomware is supposed to end any processes that could hinder its own activities. EKANS also tries to delete shadow copies to make it difficult to restore data without a key.

In March, FireEye had already warned of an increase in malware and hacking tools for industrial control systems. The majority of the known ICS pests are therefore not restricted to certain manufacturers. However, there should also be variants that only affect products from a specific provider.


Leave a Reply

Your email address will not be published. Required fields are marked *