EKANS

Description

(Dragos) EKANS ransomware emerged in mid-December 2019, and Dragos published a private report to Dragos WorldView Threat Intelligence customers early January 2020. While relatively straightforward as a ransomware sample in terms of encrypting files and displaying a ransom note, EKANS featured additional functionality to forcibly stop a number of processes, including multiple items related to ICS operations. While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static “kill list” shows a level of intentionality previously absent from ransomware targeting the industrial space. ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.

Names

Name
EKANS
Snake
SNAKEHOSE

Category

Malware

Type

• ICS malware
• Ransomware
• Big Game Hunting

Information

• https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/
• https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/
• https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/
• https://www.deepinstinct.com/2020/06/29/the-snake-attacks-holding-the-industrial-sector-ransom/
• https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems

Mitre Attack

• https://attack.mitre.org/software/S0605/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.snake

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:ekans

Playbook

• https://pan-unit42.github.io/playbook_viewer/?pb=ekans-ransomware

Other Information

Uuid

8236a50f-f937-4e6e-b935-8dea58971dfa

Last Card Change

2022-12-30