New samples of the Ekans ransomware have revealed how today's cyber attackers are using a variety of methods to compromise key industrial companies. Researchers from our friends at FortiGuard Labs have uncovered two samples of the Ekans ransomware strain that offer some additional insight into how the crypto-locking malware targets industrial control systems.
Ekans, which is also referred to as Snake, was first identified in February 2020 and early reports indicated that it had been designed to target industrial control systems used in large-scale manufacturing facilities. Ekans is Snake spelled backwards. Snake/Ekans ransomware is not targeting specific computers on a company’s network. The criminals behind it are targeting all computers on a network. They are using a technique called enterprise targeting. This targeting method is used to make way into a network, harvest administrator credentials, and then encrypt the files on every computer within the network. This is detrimental for any businesses no matter the size. Wannacry ransomware is another malware that uses enterprise targeting.
Ekans/Snake written in Golang, is a programming language (also called Go) that was launched in 2009 as an open source programming language. Go is a statically typed, compiled programming language designed by Google. Go is similar programming language like C, but with memory safety, garbage collection, structural typing, and CSP-style concurrency. The language is often referred to as "Golang" because of its domain name, golang.org, but the proper name is Go. Go is gaining in popularity with malware developers because they can use it to easily compile malicious code that works across multiple operating.
Researchers have uncovered two variants of Ekans that offer some additional insights into how the ransomware strain was developed and how it targets industrial control systems. The first sample was spotted in May 2020, and the second appeared in June 2020. In both cases, it appears that the ransomware was designed to take advantage of Windows-based systems. Both of these variants perform like all typical ransomware tools, such as encrypting files and leaving a ransom note telling the victim to contact them at a specified email address, to receive instructions on how to pay a ransom and decrypt their files. Cyber threat investigators have indicated Ekans also perform actions that are not so typical.
Ekans activities include confirming targets based on a domain analysis of targeted organizations, as well as isolating the infected networks once the attack starts. The May 2020 version of the Ekans ransomware displayed a number of coding errors, while the June 2020 sample showed significant improvement as well as additional capabilities such as the ability to turn off a firewall before encrypting, probably to detect [anti-virus] and other defense solutions by blocking any communication from the agent.
Ekans ransomware begins an attack by attempting to confirm its target. This is achieved by resolving the domain of the targeted organization and comparing this resolved domain to a specific list of IP addresses that have been preprogrammed. If the domain does not match the IP list, the ransomware aborts the attack.
If the ransomware does find a match between the targeted domain and the list of approved IP addresses, Ekans then infects the domain controller on the network and runs commands to isolate the infected system by disabling the firewall. The malware then identifies and kills running processes and deletes the shadow copies of files, which makes recovering them more difficult - if not impossible.
In the file stage of the attack, the malware uses RSA-based encryption to lock the target organization's data and files. It also displays a ransom note demanding an undisclosed amount in exchange for decrypting the files. If the victim fails to respond within first 48 hours, the attackers threaten to publish their data.
Operators of the malware have used several techniques to start an attack. The main delivery method is through spear-phishing emails, but the attackers have also taken advantage of unsecure or vulnerable Remote Desktop Protocol sessions to gain footholds within a network. After that, the malware can move laterally through the network before finding its final target.
While some research analysis shows Ekans or Snake was designed to target industrial control systems. Security firm Emsisoft, believes that Ekans targets as many systems as possible and not just ICS. In addition to the usual set of processes, Snake and some versions of Megacortex also attempt to end processes associated with ICS to free-up even more files for encryption. MegaCortex has joined an ever-growing list of ransomware strains that cyber-criminals are using only in targeted attacks, rather than with spam or other mass deployment techniques. The list includes some recognizable names, such as Ryuk, Bitpaymer, Dharma, SamSam, LockerGoga, and Matrix.
Security researchers suspect that Ekans has been used against several large-scale organizations. In June 2020, Malwarebytes and others suspected that the Ekans ransomware was used against Japanese auto giant Honda. This attack affected production operations at several of its global facilities, including plants in the US, Japan, Turkey and Italy. In May 2020, some researchers suspected Ekans/Snake targeted the networks of Fesnius, Europe's largest private hospital operator and a major provider of dialysis products and services.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company wide.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. Ransomware protection is included at no charge for RedXray customers.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
 Ekans is Snake spelled backwards and is a Pokemon character