A troubling development has been the addition of ransomware to the list of threats that target ICS. Recently, a new ICS-specific ransomware threat has been discovered: Ekans. This article will detail the Ekans malware and explore what it is, what makes Ekans different from other ICS threats and how it works, as well as how it can be prevented. As a general comment about threats like these, we should all be concerned about ICS threats. Failure of critical infrastructure to have proper information security in place will result in damage to society immeasurably worse than if your personal PC becomes infected.
What is Ekans?
Ekans, or snake spelled backwards, is a new type of ransomware that targets ICS systems. Discovered in December of 2019, Ekans is the second type of ransomware designed for ICS. The first ICS ransomware to appear in the wild was MEGACORTEX, a small malware family with both ransomware and disk wiper capabilities that has some dedicated ICS-specific characteristics. The good news is that malware researchers have described Ekans as less of a threat than MEGACORTEX. But despite this opinion, all ICS threats should be treated as serious due to the destruction it can cause to society. Just imagine the chaos that will ensue if critical infrastructure goes down due to poor security measures!
What makes Ekans different from other ICS-specific threats?
Until recently, threat actors responsible for ICS-specific threats have been state-sponsored. This means that the motivation has been based on nation-state interests and not so much for personal gain. Ekans has changed the game in this regard: it is the first ICS-specific threat that is used by private cybercriminals. This means that financial gain is most likely the main motive and other private cybercriminal groups and organizations may follow suit, making these attacks more commonplace. Another, more whimsical, fact about Ekans is that it is the first ICS-specific malware to be named after a Pokemon character.
How does Ekans work?
Ekans is notable for being very aggressive, according to malware researchers. Part of this is because it does not target individual systems but rather entire networks. Instead of spreading the way that other ransomware does, it is introduced to targeted ICSes by manual propagation. This means that the main infection vector is malicious email attachments. Once an ICS has been infected, Ekans exploits poorly secured and unpatched services to begin its attack. It can seed itself across an entire network via script. After infection, Ekans begins working through what is called a “kill list” of processes typically associated with ICS. If these processes are found, they are terminated. These processes have been described as the “guts” of ICS and affect widely-used software and programs, including GE’s Proficy software, ThingWorx monitoring and management software and a Honeywell control interface program. This hard-coded kill list is not as extensive as that of MEGACORTEX, but Ekans is still a serious threat. This list includes the following processes:
bluestripecollector.exe: BlueStripe Data Collector ccflic0.exe: Proficy licensing ccflic4.exe: Proficy licensing cdm.exe: Nimsoft-related certificateprovider.exe: Ambiguous client.exe: Ambiguous client64.exe: Ambiguous collwrap.exe: BlueStripe data collector config_api_service.exe: ThingWorx Industrial Connectivity suite, ambiguous dsmcsvc.exe: Tivoli Storage Manager client epmd.exe: RabbitMQ Server (SolarWinds) erlsrv.exe: Erlang fnplicensingservice.exe: FLEXNet Licensing Service hasplmv.exe: Sentinel HASP License Manager hdb.exe: Honeywell HMIWeb healthservice.exe: Microsoft SCCM ilicensesvc.exe: GE FANUC licensing inet_gethost.exe: Erlang keysvc.exe: Ambiguous managementagenthost.exe: VMWare CAF Management Agent service monitoringhost.exe: Microsoft SCCM msdtssrvr.exe: Microsoft SQL Server Integration Service msmdsrv.exe: Microsoft SQL Server Analysis Services musnotificationux.exe: Microsoft Update Notification Service n.exe: Ambiguous nimbus.exe: Broadcom Nimbus npmdagent.exe: Microsoft OMS Agent ntevl.exe: Nimsoft Monitor ntservices.exe: Ambiguous pralarmmgr.exe: Proficy-related prcalculationmgr.exe: Proficy Historian Data Calculation Service prconfigmgr.exe: Proficy-related prdatabasemgr.exe: Proficy-related premailengine.exe: Proficy-related preventmgr.exe: Proficy-related prftpengine.exe: Proficy-related prgateway.exe: Proficy Secure Gateway prlicensemgr.exe: Proficy License Server Manager proficy administrator.exe: Proficy-related proficyclient.exe: Proficy-related proficypublisherservice.exe: Proficy-related proficyserver.exe: Proficy Server proficysts.exe: Proficy-related prprintserver.exe: Proficy-related prproficymgr.exe: Proficy Plant Applications prrds.exe: Proficy Remote Data Service prreader.exe: Proficy Historian Data Calculation Service prrouter.exe: Proficy-related prschedulemgr.exe: Proficy-related prstubber.exe: Proficy-related prsummarymgr.exe: Proficy-related prwriter.exe: Proficy Historian Data Calculation Service reportingservicesservice.exe: Microsoft SQL Server Reporting Service server_eventlog.exe: Proficy Event Log Service, ambiguous server_runtime.exe: Proficy-related, ambiguous spooler.exe: Ambiguous sqlservr.exe: Microsoft SQL Server taskhostw.exe: Windows OS vgauthservice.exe: VMWare Guest Authentication Service vmacthlp.exe: VMWare Activation Helper vmtoolsd.exe: VMWare Tools Service win32sysinfo.exe: RabbitMQ winvnc4.exe: WinVNC client workflowresttest.exe: Ambiguous
If these processes are terminated on the right system, the system would no longer present ICS plant staff with an accurate view condition, which would be fatal to ICS functionality. Service disruption would be almost imminent. Once infection is complete, the compromised ICS would have their files encrypted. Users would be prompted with a note on their monitor saying that their files have been encrypted, and the ransom demand is usually in the millions of dollars.
Prevention
The good thing is that Ekans is fairly easy to prevent. Below are some straightforward tips toward helping to ensure it will not happen to your organization’s ICS:
The number one recommendation is to become educated on cybersecurity risk. Not downloading malicious or even just strange email attachments is cybersecurity risk training 101, and all plant staff should be aware of this Use email content filtering and scanning Ensure files are backed up and easily accessible for recovery. This may require implementing a backup and recovery plan if one is not already in place Ensure that devices and services are patched and secured
Conclusion
Ekans was just recently discovered and is the first ICS-specific malware to be designed by private cybercriminals. It works by attacking the “guts” of widely-used ICS implementations and if it infects the right system, it will slowly kill vital processes and encrypt files on the network. With this said, mainstream cyber risk training will prevent the vast majority of infections and keep our critical infrastructure safe from this threat.
Sources
EKANS Ransomware Raises Industrial-Control Worries, Dark Reading Snake/EKANS Ransomware Attacks Industrial Control Systems, Acronis Attackers Target Industrial Control Systems with EKANS Ransomware, CISO Mag Ransomware Targeting Industrial Control Systems Gets More Sophisticated, Barracuda
