February 6, 2020
By David Bisson 2 min read

Security researchers observed that EKANS ransomware has the ability to stop processes related to an organization’s industrial control systems (ICS).

In its analysis, Dragos observed that EKANS ransomware first checks for the “EKANS” Mutex value on a victim’s machine. If it uncovers this value, the threat ceases its activity. Otherwise, it sets the Mutex value and then kills several processes associated with ICS operations.

The sample analyzed by Dragos lacked the ability to inject commands into or otherwise change those ICS processes. Even so, researchers noted that the threat could render a loss of view condition on the network if executed on the right type of system. At that point, EKANS proceeded with its file encryption process before dropping its ransom note.

Dragos noted that the ransomware was not programmed to reboot or shut down the system or to close remote access channels. The lack of this capability makes the EKANS sample analyzed by the security firm less disruptive than some ransomware families that have previously targeted ICS systems. Even so, researchers noted that there’s still uncertainty over whether EKANS can produce what they called “inadvertent loss of control situations.”

Ties to Another Ransomware Family

While investigating the ransomware, Dragos discovered that the EKANS sample behaved like the MegaCortex family in that it didn’t come with a built-in propagation mechanism. It found that the threat spread using scripts or an Active Directory compromise instead. This technique enabled EKANS to perpetrate a large-scale compromise of an enterprise’s network, the researchers noted.

That’s not the only connection that Dragos found between EKANS and MegaCortex, the ransomware that attracted the attention of Trend Micro in May 2019 when it began targeting enterprise networks. The security firm noted that EKANS’ process kill activity was similar to functionality observed by Accenture in “version 2” of MegaCortex back in mid-2019. Additionally, Dragos discovered that all of the processes listed in EKANS’ list appeared in MegaCortex’s kill list.

How to Defend Against EKANS Ransomware

Security professionals can help their organizations defend against an EKANS ransomware infection by using the latest threat intelligence to track the emergence of new ransomware families and techniques. Companies with connections to critical infrastructure or with large operational technology environments should also invest in additional staff education and the creation of a testing program for evaluating the security preparedness of their organization’s critical ICS components.

 |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

Data Protection   June 8, 2023

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates.Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?[button link="https://community.ibm.com/community/user/security/events/event-description?CalendarEventKey=8d7fdc61-97bf-43b0-b7d6-018756e436a6&CommunityKey=aa1a6549-4b51-421a-9c67-6dd41e65ef85&Home=%2fcommunity%2fuser%2fsecurity%2fcommunities%2fcommunity-home%2frecent-community-events"…

3 min read
News   June 7, 2023

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read
Risk Management   June 7, 2023

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read
Intelligence & Analytics   June 6, 2023

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature