FortiGuard Labs researchers have analyzed EKANS ransomware, which targets industrial control systems. It only affects Windows-based systems and is able to encrypt files. A further developed version has been in circulation since June, which can even switch off the firewalls of infected systems.
The first sample that fell into the hands of researchers Ben Hunter and Fred Gutierrez was compiled in May. They found numerous errors in its code – a total of more than 1200 strings. However, they had no influence on the function of the ransomware.
According to your analysis, EKANS selectively targets its victims. The malware tries to resolve the domain of the infected system and compare it with a list of IP addresses. If the destination is not confirmed, the ransomware cancels its routines.
However, if the right target was attacked, the ransomware looks for domain controllers. Finally, it encrypts files and also displays a ransom note. It is not known whether the backers actually provide a decryption key after payment has been made or whether it works.
The second pattern, compiled in June, offers additional features. It is apparently able to change the settings of the industrial control system. Among other things, a firewall can be switched off. The researchers suspect that security applications and other protective measures should be identified and blocked in this way.
EKANS makes files unusable with RSA encryption. In addition, the ransomware is supposed to end any processes that could hinder its own activities. EKANS also tries to delete shadow copies to make it difficult to restore data without a key.
In March, FireEye had already warned of an increase in malware and hacking tools for industrial control systems. The majority of the known ICS pests are therefore not restricted to certain manufacturers. However, there should also be variants that only affect products from a specific provider.