New Ransomware hitting Industrial Control Systems like a nuclear bomb

Ransomware Incident Analysis of Dridex, BitPaymer and DoppelPaymer campaign

Researchers at security firms including Sentinel One and Drago’s have been mystified by a piece of code named Ekans or Snake, over the last month. Drago’s publically released its full report on Ekans Ransomware that has recently inflicted Industrial Control Systems and these are some of the most high-value systems that bridge the gap between digital and physical systems.

In the history of hacking, only a few times a piece of malicious code has been marked attempting to intrude Industrial Control Systems. Ekans is supposed to be the first Ransomware with real primitive capability against the Industrial Control Systems, software, and hardware used in everything from oil refineries to power grids. Researchers say this ransomware holds the capability to attack ICS by Honeywell and GE as well.

Ekans appears to have been developed using the Go or Golang programming language. This ransomware encrypts files on affected machines and displays a ransom message, as much as other ransomware.

Ekans can also “Feature additional functionality to forcibly stop number of processes including multiple processes related to ICS operations” i.e. it included a mechanism that is designed to terminate 64 different software processes on victims systems, encrypt the underlying data, and hold it hostage that could lead to dangerous repercussions, like preventing staff from remotely monitoring or controlling the equipment’s operation.

According to Dragos,

“ Another ransomware strain known as Megacortex that first appeared last spring included all of the same industrial control system process-killing features, and may, in fact, be a predecessor to EKANS developed by the same hackers.”

The Recent Outbreak details

An Australian Logistics company that operates a fleet of seven cargo ships has closed some systems while it investigates and recovers some cyber-attacks. The company says “It has returned to manual operations till it’s experts get the system back online”.  When Customers are logging into the infected system for tracking their Logistic shipments, they are getting messages like “Something went wrong with the system” or ” Sorry, the site is taking too long to respond”.

Customers have been growing salty over this event as Manual backup that the company has brought as an alternative to the automatic system infected by Ransomware. This incident should be a lesson to enhance manual backup and to have strong corporate plans as a part of resilience planning.

Law Implementation on Ransomware Attacks

As states anticipate legal frameworks to dissuade the drift of cyber attacks against state and local governments, Maryland CyberSecurity council is seeking to proscribe the proprietorship of the tools that make them possible. This will Outcast Baltimore’s catastrophic cyber attack introduced last year.

Senate Bill 30, introduced in January by Sen. Susan C. Lee, D-Montgomery, would make possession of the malware a malfeasance, punishable by up to 10 years in prison and an upfront fine of $10,000. The bill makes exceptions for researchers who may be using the malware for improved understanding of its working process.



Contacting LIFARS is Your Next (First?) Step for Handling Cyber Incidents.