Cyber Attackers are using a variety of methods including EKANS ransomware to target industrial control systems (ICS). The ransomware can stop numerous endpoint protection programs such as EDR, delete shadow copies, turn off the host firewall, and can stop specific services and processes.
The ransomware has targeted industries related to the automobile, healthcare, architecture firms, energy, and electronics sector with the intention to disrupt operations of the victim’s factory. The features of EKANS ransomware can easily bypass any existing ICS protections causing a substantial loss and major operational damage to critical infrastructure.
According to FortiGuard security researchers, the EKANS ransomware is created in such a way that it targets only specific victims. When it was first observed in January 2020, it had the basic ransomware behavior, encrypting files and displaying a ransom note when finished. One thing that makes the EKANS ransomware stand out from other ransomware strains is that it includes a static “kill list” that stops numerous antivirus and industrial control systems (ICS) processes and services. Therefore, after killing the processes, it deletes shadow copies to disable any restoration capabilities. Also, the EKANS ransomware doesn’t follow a uniform extension change like other active ransomware. It modifies the extension with five random characters. The open unused Remote Desktop Protocol (RDP) ports should be closed or prevent the malware from entering the network.
Detection and prevention should focus on strong network and endpoint visibility, with EDR solution and network sensors that can detect lateral movement and malware propagation, or initial reconnaissance of the malware against domain controllers.
When detected, it is important to call a forensics firm that has an understanding of this malware virus stain, and can eradicate, contain and recover from initial compromise. Often forensic firms deploy cyber vaccines, such as LIFARS Dridex Cyber Vaccine published here. Dridex is a malware developed by a know threat actor called Evil Corp.
Having tested incident response plans can help with a limitation on OT and IT infrastructure disruption and damage. It is vital that enterprises practice and train with digital forensic firms on how to respond to this new threat.
Also, it is common that ransomware operators keep their presence in the network even after the initial ransomware threat is eliminated. Therefore, we advise to perform a threat hunting to find out if the adversaries still have control over your infrastructure.