FortinGuard Labs, Fortinet’s analytics division, researchers Ben Hunter and Fred Gutierrez found that malware designed to attack industrial control systems (ICS) continues to be lucrative for threat actors.
Ransomware ransom claims can cause an infection, which can have devastating effects if targeted against key, critical systems such as supply and manufacturing systems. In this way, the extortionists ensure that the attacked entrepreneurs actually pay a ransom.
The EKANS family is a ransomware variant that was used in targeted ICS campaigns. The researchers were able to examine two specimens in detail, one from May and one from June.
Both Windows-based examples are written in GO, a programming language that is widely used in the malware developer community because it is relatively easy to compile to work on different operating systems. This allows attackers to launch attacks against Windows, Linux and MacOS with little effort.
To help with the analysis, FortiGuard created an EKANS-specific dissembler and found that despite a large number of coding errors in the May version of the ransom note – over 1200 strings to be exact – the malware is still capable To carry out attacks on ICS systems effectively.
It appears that EKANS was designed to consciously select its victims. The malware will attempt to confirm its target by resolving the domain belonging to a victim’s company and comparing this information to IP lists. If the target status is not confirmed, the routine is ended. Once a target is captured, the ransom note searches for domain controllers to compromise.
Both versions have the functionality of a typical ransomware ransom note. Once landed on a vulnerable computer, the malware is able to encrypt files and display a ransom note asking for payment against a decryption key that may or may not restore access to system files.
However, the June example goes beyond these features and is able to provide high-level features that could have devastating consequences in an industrial environment, including the ability to turn off host firewalls.
This new expansion of EKANS functionality was not the only improvement. To circumvent all existing ICS protection mechanisms, the ransom note will also attempt to turn off the firewall before encryption, “likely to detect antivirus and other defense solutions by blocking all agent communication,” the researchers said.
EKANS uses RSA encryption to lock affected computers and starts a process rampage, terminating any system that could become a barrier to malware activity, and deleting shadow copies to make file recovery difficult .
In addition to examining this interesting ICS malware, FortiGuard also published a guide to what the cybersecurity company believes are the latest techniques and tactics used by industrial threat actors.
These include taking advantage of remote services, using credential dumps, lateral movement in networks, disabling or changing cyber security tools, compromising defense by disabling Windows event logs, and changing group policies.