For five years, ransomware has dominated the list of most successful malware. Since the end of 2019, a new ransomware is raising concerns for OT and ICS networks – Ekans (Snake, when spelled backwards).
Ransomware encrypts data, deletes backups and stops processes
IKARUS partner Nozomi Networks  is well aware that Ekans spreads manually, especially via email and exploits of poorly secured systems. On January 8, 48 hours after the first report, the corresponding signatures and rules have already been integrated into the in-house Threat Intelligence.
In addition to the typical encryption of files and programs, Ekans searches and deletes backups on infected devices. Encrypted data cannot be restored. Furthermore, the malware comes with a “kill list” of processes that are stopped. These include security and management software, databases and backup solutions – and ICS-related processes. Industrial plants are directly at risk.
Industrial control processes targeted for the first time
The attackers’ knowledge of industrial control systems seems rudimentary. The ICS-related processes on the “kill list” could be a “side blow” to cause as much damage as possible to IT networks. IKARUS partner FireEye points out that the majority of processes have nothing to do with industrial control systems. The same process list, which is stored in Ekans, was already used by Ransomware MegaCortex. FireEye therefore suspects “synergy effects”. Further overlaps between the two malware families do not seem to exist.
According to analyses by Dragos security researchers who discovered the malware in January, Ekans cannot enter commands into the control systems or manipulate procedures. Nevertheless, danger seems to be imminent: the actual effects of the hard-coded “kill list” on industrial control systems are unclear. Loss of visibility and control are possible consequences. Even with secured systems that fall back to manual control in an emergency, there is still at least the risk of high financial consequences .
Safety recommendations for industrial environments
“MegaCortex and Ekans have brought a new quality to the attack scene,” warns DI Christoph Barszczewski from IKARUS Security Software: “While previous attacks on industry such as Norsk Hydro can be attributed to ‘normal’ ransomware, someone has now explicitly written ransomware that specifically attacks ICS processes of certain vendors. This is a novelty. Pandora’s box is open. It is also highly probable that behind Ekans’ criminals and not state actors are to be assumed.
Industrial companies should be vigilant and control their protective mechanisms. OT-specialist Nozomi recommends to pay special attention to the following security guidelines in order to strengthen security and visibility in the operational area:
- Email scanning and email filtering to defend against malware campaigns
- Security awareness of all employees to detect and fend off phishing campaigns
- Network auditing, especially with regard to network isolation and firewall policies
- Implementation of a backup policy that supports fast access to affected files
Transparency and security in IT, OT and ICS environments
Companies that want to secure their IT and OT networks benefit from a common security platform. This platform displays the findings and warnings of all security-relevant applications in one interface. The advantages are a detailed overview of the entire infrastructure, all devices, systems and protocols, as well as early hazard detection and fast response capability.
Together with FireEye and Nozomi Networks, IKARUS offers a central modular platform. Local installations, where useful and necessary, are combined with the possibility to run a part of the services either on-premise or from the cloud. The advantage of the technology merger lies in the integration of all services and hardware into the IKARUS data center in Vienna: All data is processed locally, while full access to the global threat intelligence of the international services is available.
IKARUS as central contact, system integrator and 24/7 support team enables full onboarding within four weeks.
Your contact for OT and ICS security:
DI Christoph Barszczewski
Tel. +43 1 58995-157
Information about IT, OT and ICS security: https://www.ikarussecurity.com/en/it-ot-and-ics-security/
IKARUS, FireEye and NOZOMI: Technological cooperation for more security
IoT, IIoT, ICS: definitions, similarities and differences