Ekans Ransomware: Danger for OT and ICS environments

18. February, 2020

For five years, ransomware has dominated the list of most successful malware. Since the end of 2019, a new ransomware is raising concerns for OT and ICS networks – Ekans (Snake, when spelled backwards).

Ransomware encrypts data, deletes backups and stops processes

IKARUS partner Nozomi Networks [1] is well aware that Ekans spreads manually, especially via email and exploits of poorly secured systems. On January 8, 48 hours after the first report, the corresponding signatures and rules have already been integrated into the in-house Threat Intelligence.

In addition to the typical encryption of files and programs, Ekans searches and deletes backups on infected devices. Encrypted data cannot be restored. Furthermore, the malware comes with a “kill list” of processes that are stopped. These include security and management software, databases and backup solutions – and ICS-related processes. Industrial plants are directly at risk.

Industrial control processes targeted for the first time

The attackers’ knowledge of industrial control systems seems rudimentary. The ICS-related processes on the “kill list” could be a “side blow” to cause as much damage as possible to IT networks. IKARUS partner FireEye points out that the majority of processes have nothing to do with industrial control systems. The same process list, which is stored in Ekans, was already used by Ransomware MegaCortex. FireEye therefore suspects “synergy effects”. Further overlaps between the two malware families do not seem to exist.

According to analyses by Dragos security researchers who discovered the malware in January, Ekans cannot enter commands into the control systems or manipulate procedures. Nevertheless, danger seems to be imminent: the actual effects of the hard-coded “kill list” on industrial control systems are unclear. Loss of visibility and control are possible consequences. Even with secured systems that fall back to manual control in an emergency, there is still at least the risk of high financial consequences .[2]

Safety recommendations for industrial environments

“MegaCortex and Ekans have brought a new quality to the attack scene,” warns DI Christoph Barszczewski from IKARUS Security Software: “While previous attacks on industry such as Norsk Hydro can be attributed to ‘normal’ ransomware, someone has now explicitly written ransomware that specifically attacks ICS processes of certain vendors. This is a novelty. Pandora’s box is open. It is also highly probable that behind Ekans’ criminals and not state actors are to be assumed.

Industrial companies should be vigilant and control their protective mechanisms. OT-specialist Nozomi recommends to pay special attention to the following security guidelines in order to strengthen security and visibility in the operational area:

  • Email scanning and email filtering to defend against malware campaigns
  • Security awareness of all employees to detect and fend off phishing campaigns
  • Network auditing, especially with regard to network isolation and firewall policies
  • Implementation of a backup policy that supports fast access to affected files

Transparency and security in IT, OT and ICS environments

Companies that want to secure their IT and OT networks benefit from a common security platform. This platform displays the findings and warnings of all security-relevant applications in one interface. The advantages are a detailed overview of the entire infrastructure, all devices, systems and protocols, as well as early hazard detection and fast response capability.
Together with FireEye and Nozomi Networks, IKARUS offers a central modular platform. Local installations, where useful and necessary, are combined with the possibility to run a part of the services either on-premise or from the cloud. The advantage of the technology merger lies in the integration of all services and hardware into the IKARUS data center in Vienna: All data is processed locally, while full access to the global threat intelligence of the international services is available.

IKARUS as central contact, system integrator and 24/7 support team enables full onboarding within four weeks.

Your contact for OT and ICS security:

DI Christoph Barszczewski
Tel. +43 1 58995-157

Information about IT, OT and ICS security: https://www.ikarussecurity.com/en/it-ot-and-ics-security/


IKARUS, FireEye and NOZOMI: Technological cooperation for more security

IoT, IIoT, ICS: definitions, similarities and differences

[1] https://www.nozominetworks.com/blog/snake-ransomware-raising-concerns-for-ics/

[2] https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/

Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Indicators of Attack
Gefahren durch vertrauenswürdige Services
Threat Intelligence
SQL Injection
SMTP Smuggling
Cyber-Risiken in der Ferienzeit
Dynamische Cybersicherheit
Harmony Mobile by Check Point
EU Machinery Regulation


IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500


Support hotline:
+43 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download