Over the past five years, ransomware has emerged as a vexing menace that has shut down factories, hospitals, and local municipalities and school districts around the world. In recent months, researchers have caught ransomware doing something that’s potentially more sinister: intentionally tampering with industrial control systems that dams, electric grids, and gas refineries rely on to keep equipment running safely.
A ransomware strain discovered last month and dubbed Ekans contains the usual routines for disabling data backups and mass-encrypting files on infected systems. But researchers at security firm Dragos found something else that has the potential to be more disruptive: code that actively seeks out and forcibly stops applications used in industrial control systems, which is usually abbreviated as ICS. Before starting file-encryption operations, the ransomware kills processes listed by process name in a hard-coded list within the encoded strings of the malware.
In all, Ekans kills 64 processes, including those spawned by human-machine interfaces from Honeywell, the Proficy Historian from General Electric, and licensing servers from GE Fanuc. The same 64 processes, it turns out, are targeted in a version of the MegaCortex ransomware. That version first came to light in August.
By ceasing operations at hospitals, factories, and other mission-critical environments, ransomware has always represented a threat to safety. But the resulting damage remained largely contained to IT systems inside targeted networks. Unless the ransomware made an unexpected jump to ICS networks—which are usually segregated and better fortified—the likelihood of disrupting sensitive industrial systems seemed remote. In a post published on Monday, Dragos researchers wrote:
Ekans (and apparently some versions of MegaCortex) shift this narrative as ICS-specific functionality is directly referenced within the malware. While some of these processes may reside in typical enterprise IT networks, such as Proficy servers or Microsoft SQL servers, inclusion of HMI software, historian clients, and additional items indicates some minimal, albeit crude, awareness of control system environment processes and functionality.
Monday’s report described Ekans’ ICS targeting as minimal and crude because the malware simply kills various processes created by widely used ICS programs. That’s a key differentiator from ICS-targeting malware discovered over the past few years with the ability to do much more serious damage. One example is Industroyer, the sophisticated malware that caused a power outage in Ukraine in December 2016 in a deliberate and well-executed attempt to leave households without electricity in one of the country’s coldest months.
Another example is Trisis (aka Triton), which deliberately tampered with systems that were designed to prevent health- and life-threatening accidents inside a critical infrastructure facility in the Middle East. Other examples include the Stuxnet worm that targeted Iran’s nuclear program a decade ago, the BlackEnergy malware used to create a regional blackout in Ukraine in December 2015 (a year before the Industroyer incident), and espionage malware known as Havex, which targeted 2,000 industrial sites with code that mapped out industrial equipment and devices.
Industroyer, Trisis, and the other examples contained code that surgically and painstakingly tampered with, mapped, or dismantled certain highly sensitive functions inside the critical infrastructure sites they targeted. Ekans and MegaCortex, by contrast, simply kill processes spawned by ICS software. It remains unclear precisely what effect the killing of those processes would have on the safety of operations inside infected facilities.
Another reason Dragos considers Ekans to be a “relatively primitive attack” is that the ransomware has no mechanism to spread. That makes Ekans much less of a threat than ransomware such as Ryuk, which quietly collects credentials for months on infected systems so it can eventually proliferate widely through almost all parts of a targeted network.
Monday’s post also challenged recent reporting that Ekans, which also goes by the name Snake, was created by Iran. The report, which was based on research findings from security firm Otorio, cited similarities to previously known Iranian malware and operations. Dragos researchers said that the firm “finds any such link to be incredibly tenuous based upon available evidence.”
Despite the lack of sophistication and no established links to nation states, Ekans warrants serious attention by organizations with ICS operations.
“While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static ‘kill list’ shows a level of intentionality previously absent from ransomware targeting the industrial space,” Dragos researchers wrote. “ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.”