Break out your mesh tee; hacker criminals are back and they don’t seem to have a political agenda. EKANS (sometimes referred to as Snake) is ransomware first discovered in January that continues to perplex and concern cybersecurity analysts. Security firm Dragos released a full report on Monday detailing the machinations of EKANS and SentinelLabs (by Sentinel One) is also monitoring the malware, according to Wired.
How does it work? —
In some ways, EKANS is run-of-the-mill ransomware. It encrypts sensitive data, usually in IT systems, and supplied the owner of that data with financial demands. In other ways, you could consider this malware an overachiever. EKANS terminates 64 software processes in the traditionally more secure industrial control systems (ICS) before encrypting the valuable data. This renders them incapable of monitoring infrastructure, like robots on a factory floor.
"By virtue of taking out this functionality, you won't necessarily cause the plant to come to a screeching halt, but you’ll decrease the victim’s visibility and understanding of their environment," said Joe Slowik, a researcher for ICS security firm Dragos who analyzed EKANS and Megacortex to Wired. Megacortex, a similar ransomware strain, is a little less crude and generally used in much broader contexts, rather than focusing on industrial targets.
Victims and perps —
Sentinel One and Otorio believe EKANZ targeted Bapco, Bahrain’s national oil company, the latter assuming the attack will affect the price of oil. Otorio thinks Iran is behind this new malware, but Dragos’s report found no evidence connecting it to Dustman, an Iranian wiper malware used on Bapco days before the assassination of Iranian general Qassem Soleimani.
So far, it appears that this ICS malware, previously the domain of agencies like the NSA, is now in the hands of apolitical cybercriminals. Now, we don’t just have to worry about increasingly tyrannical governments holding infrastructure hostage; we can also fear some random person looking for a payday and chaos.
