OT security - Dragos reports new OT ransomware EKANS

At the beginning of January, security experts from the company Dragos discovered a new ransomware which was christened EKANS. EKANS stands for Snake backwards. Since there was already a malware with the name Snake, the name EKANS was chosen.

During the investigation of EKANS, Dragos observed a list of processes associated with the operation of industrial control systems (ICS). The malware was designed to terminate the named processes on the affected machines. This is particularly noteworthy for EKANS because while ransomware has attacked ICS environments before, all of the earlier events were associated with IT-focused ransomware. Previously, OT, ICS and SCADA system were not directly attacked. The OT has been affected randomly instead of intentionally in ransomware attacks so far.

EKANS is an obfuscated ransomware variant written in the Go programming language, which was first observed in commercial malware repositories in late December 2019.

The binary alone consists of several encoded strings. However, the coding scheme can be identified and reversed, and a publicly available analysis was provided as early as 07 January 2020. Examining the coded strings along with monitoring malware execution in a sandbox environment identifies the program flow of the ransomware.

First, the malware checks the system for the presence of a mutex value, "EKANS". If present, the ransomware stops with the message "already encrypted! Otherwise, the mutex value is set and encryption continues using standard encryption library functions. The primary functionality on the victims' systems is achieved via calls to the Windows Management Interface (WMI), which begins executing encryption operations and removes the disk shadow copy backups on the victim.

Before proceeding with file encryption operations, the ransomware stops ("terminates") processes listed by process name in a hard-coded list within the malware's encrypted strings. While some of the referenced processes appear to relate to security or management software (e.g. Qihoo 360 Safeguard and Microsoft System Center), the majority of the listed processes relate to databases (e.g. Microsoft SQL Server), data backup solutions (e.g. IBM Tivoli) or ICS-related processes.

Referenced ICS products include numerous references to GE's Proficy data historian, with both client and server processes included. Additional ICS-specific functions referenced include GE Fanuc licence server services and Honeywell's HMIWeb application. The remaining ICS-related elements consist of remote monitoring (e.g. historian-like) or a licence server instance such as FLEXNet and Sentinel HASP licence manager and ThingWorx Industrial Connectivity Suite. As mentioned earlier, the malware does not perform any action other than forcibly stopping the referenced process. The malware is therefore not able to insert commands into ICS-related processes or otherwise manipulate them. However, execution on the correct system (e.g. a data historian) would cause a loss of visibility on the network.

After process stop and encryption actions, EKANS places a ransom note at the root of the system drive (usually C:\) and the desktop of the active user. In the ransom note, a contact email is named and an offer is made to demonstrate the salvability of the data. So this is not ransomware where the data cannot be recovered even after paying the ransom.

EKANS has no built-in propagation or distribution mechanism. Instead, the malware must be started either interactively or via script in order to infect a computer. EKANS thus follows a trend observed in other ransomware families such as Ryuk and MEGACORTEX, among others, where self-propagation is avoided in favour of large-scale compromise of a corporate network. Once achieved, the ransomware can be placed and timed throughout the network via script, Active Directory compromise or other mechanism to achieve simultaneous infection and system disruption.

Historically, concern about ransomware in ICS environments has focused on propagation mechanisms. Essentially, IT-focused ransomeware could affect control system environments if it could migrate into Windows-based parts of control system networks, disrupting operations. Therefore, any ICS disruption caused by ransomware represented the result of overly aggressive malware propagation leading to ICS impacts.

EKANS (and apparently some versions of MEGACORTEX) shift this narrative by referencing ICS-specific functionality directly in the malware. While some of these processes may be present in typical enterprise IT networks such as Proficy servers or Microsoft SQL servers, the inclusion of HMI software, historian clients and additional elements indicates minimal, albeit crude, knowledge of the processes and functions of the control system environment.

The actual extent of the impact that EKANS or the ICS-aware MEGACORTEX might have on the industrial environment is unclear. Targeting historians and data collection processes at both client and server level imposes significant costs on an organisation and could lead to a loss of visibility across the plant environment. The impact on the termination of licence server and HMI processes is less clear, as other processes may still be in play to enable functionality, and fallbacks or 'grace periods' for licence servers may allow continued operation for some time without the licence management system.

Nevertheless, this uncertainty remains unacceptable given the potential to create unintended loss-of-control situations depending on precise environmental configuration and process connections. Consequently, EKANS and its suspected parent MEGACORTEX variant pose a unique and specific risk to industrial operations that has not previously been observed in ransomware operations. While some organisations may revert to "manual mode" in an emergency, the cost and inefficiency of such a reversion (if such a switch occurs without major problems) is still significant. Given these issues, EKANS and similar ransomware pose specific and unique risks and cost implications for industrial environments.

What to do about it

Host:

• Unlike some other recent ransomware variants, EKANS is not code-signed. Implementing controls in control system networks that prohibit the execution of unsigned binaries can therefore mitigate the execution of malware such as this. Unfortunately, many software packages from legitimate vendors continue to be distributed in unsigned form, making this mitigation strategy impractical in many cases.
• Similar to the above, but relying on more generic mechanisms, organisations can prohibit or at least monitor the execution of previously unseen executables from non-standard or non-updated sources. Again, while imperfect given the way some legitimate software packages are created and distributed, this can still at least serve as a first alarm to prompt further investigation and potentially limit the spread of malicious software on sensitive networks.
• Particularly in the context of ICS historian activity, organisations can detect a potentially ongoing disruptive attack by implementing logic or monitoring of their historian (such as GE Proficy in this case) to identify instances where multiple endpoints stop communicating and reporting to the historian around the same time. While systems may still be offline or compromised, identifying this data point early in the investigation facilitates root cause analysis of the event by identifying potential ICS-specific functions, such as the one indicated in EKANS.
• Although a common recommendation for ransomware events, organisations need to focus on creating regular backups of critical files and systems and storing them in a secure location that is not easily accessible from the regular network. For ICS operations in particular, backups must include the last known configuration data, project files and related items to enable rapid recovery in the event of a disaster.

Network:

If possible, identify the transfer of unknown binaries over network resources from corporate networks to control system enclaves. While identifying when executable code enters the ICS environment is imperfect, it can at least allow defenders to correlate this activity with other suspicious observations (such as new logon or promiscuous logon activity) that could indicate an intrusion.

Backups:

Many ransomware attacks also impact backup infrastructure. In a recent ransomware attack that Dragos security experts responded to, the attackers encrypted Synology's network attached storage (NAS), which was mounted as a server message block (SMB) on all systems used to store backups. Fortunately, an engineer had previously decided to store a copy of the backups on an external drive. Unfortunately, the backups were about 18 months old, so the victim lost a lot of production data and the technical improvements and logical changes made during that time.

In addition to maintaining offline backups, backup procedures should consider not only systems but also critical data. While backing up a system every three months, for example, may be fine, critical data required for business operations may need to be available to the day or hour. Organisations should ensure that this information is identified and categorised based on importance and is available when all systems are encrypted.

Conclusion

The EKANS ransomware is unique in that it has specific references to industrial processes in addition to a handful of ICS-specific malware variants such as Havex and CRASHOVERRIDE. At the same time, the actual implementation of such functionality by EKANS is still extremely primitive and of undetermined industrial significance.

Nevertheless, EKANS (and its probable predecessor MEGACORTEX) represent a negative development to make control system environments particularly vulnerable. Therefore, despite its limited functionality and nature, EKANS represents a relatively new and profound development in the field of ICS-targeted malware. Whereas previously ICS-specific or ICS-related malware was exclusively the playground of state-sponsored entities, EKANS seems to indicate that non-state elements seeking financial gain are now also involved in this field, albeit still only at a very primitive level. Consequently, it is incumbent upon ICS asset owners and operators to learn not only from the workings of EKANS itself, but also from the myriad ways malicious software such as EKANS can spread and be distributed in control system environments in order to prepare an actionable, relevant defence.

Should you wish to extend the security of your IT and OT via a monitoring system, which passively or, if desired, actively monitors the network, we would be happy to present you with a solution or a security concept. We would also be happy to provide you with a test solution in order to convince you of the performance and quality. You can reach us by phone, e-mail or our contact form.