A new threat intelligence report has underscored the serious threat posed by the recently discovered Snake ransomware, which not only encrypts files, but can disrupt certain industrial controls systems processes.
ICS security firm Dragos issued the blog post report yesterday after initially sharing it privately with its clientele back in mid-January. Dragos refers to ransomware as Ekans (Snake backwards), and said its team first observed the threat on Jan. 6, although the MalwareHunterTeam had been previously credited with its discovery.
Although the Go-language program is rather primitive and limited in functionality, it nonetheless "represents a relatively new and deeply concerning evolution in ICS-targeting malware," said Dragos in its post. "Whereas previously ICS-specific or ICS-related malware was solely the playground of state-sponsored entities, Ekans appears to indicate non-state elements pursuing financial gain are now involved in this space as well..."
As it encrypts files, the ransomware appends a random five-character string to the extension, and then within each file it appends the file marker “EKANS” (hence the name Snake or Ekans). It also removes shadow copies and sends the victim a ransom note with an email address to contact. But in an unusual twist, it also kills certain named process related to ICS solutions and SCADA systems, among other processes, which means OT environments are also at risk.
Dragos names the various systems whose processes are targeted by Ekans, including GW's Proficy data historian, GE Fanuc licensing server services, Honeywell’s HMIWeb application, the FLEXNet and Sentinel HASP license managers, and ThingWorx Industrial Connectivity Suite. Other targets processes correspond to virtual machines, remote management tools and other solutions.
"...[W]hile ransomware has previously victimized ICS environments, prior events all feature IT-focused ransomware that spreads into control system environments by way of enterprise mechanisms. Otherwise, ICS-specific ransomware has mostly included either academic proof of concepts or marketing stunts representing the corpus of activity."
Dragos also says it has discovered a connection between Ekans and Megacortex ransomware, which first surfaced in January 2019 and emerged as a major threat. According to the report, a newer variant of Megacortex that debuted in mid-2019 (detailed by Accenture) demonstrates similar process kill activity and also references specific ICS processes.
While Ekans targets only 64 processes, the variant of Megacortex alludes to over 1,000 total items, many related to security solutions. This includes all the ones Ekans targets, which suggests Ekans is a variant based on prior Megacortex activity," Dragos concludes.
In its report, Dragos asserts that any industry speculation that Ekans is linked to Iranian hacker activity is incredibly tenuous based upon available evidence. The company also suggests a serious of mitigations to limit risk of an Ekans infection.