It appears ransomware attacks specifically designed to target industrial control systems (ICS) is being prepped now by cybercriminals in addition to nation states.
A report published this week by Dragos, a provider of cybersecurity software for ICS platforms, identifies Ekans malware, also known as Snake, as a class of malware being developed on a repository designed to target ICS platforms from General Electric and Honeywell.
Before proceeding to encrypt files, Ekans malware kills processes listed by name in a hard-coded list within the encoded strings of the malware. Some of the processes listed include security and management tools such as Qihoo 360 Safeguard, IBM Tivoli and Microsoft System Center. Once processes are killed, files are encrypted and renamed after encryption by appending a random five- character extension to the original file extension. EKANS then sends a ransom note to both the root of the system drive and the active user’s desktop.
EKANS apparently has no built-in propagation or spreading mechanism. The malware must instead be launched either interactively or via script. Dragos researcher note EKANS is following a trend observed in other ransomware families where self-propagation is avoided in favor of trying to achieve large-scale compromise of an enterprise network. Once achieved, ransomware can be seeded and scheduled throughout the network via script, Active Directory compromise, or some other mechanism to achieve simultaneous infection of multiple systems before cybersecurity teams can react, notes the report.
In a slight twist to other forms of malware targeting ICS platforms, user access to the encrypted system is maintained throughout the process. The ICS system does not reboot, shutdown, or close remote access channels.
Dragos researchers trace the lineage of Ekans back to MEGACORTEX, another malware variant that also has some ICS-specific characteristics. The Ekans malware illustrates how ambitious cybercriminals are becoming when it comes to ransomware. Initially, ransomware attacks were primarily designed to extort small amounts of money from end users. More recently, cybercriminals have been employing ransomware to target organizations. Now it appears they will soon be going after ICS platforms that are the foundation on which everything from electrical grids to millions of manufacturing process are built. The possibility ransomware targeting ICS platforms will be used to extort hundreds of thousands, if not millions, is now very real.
Of course, such an attack will engender a response. When cybercriminals attack individuals and organizations demanding thousands of dollars it’s a crime that will be investigated. When cybercriminals start demanding large sums of money to return control over ICS platforms it’s more likely to be viewed as an act of terrorism. The individuals launching that attack may not have any political agenda but given the scope of the threat the response is likely to be extreme. Any nation state found to be abetting those attacks is likely to find itself dealing with a major international diplomatic incident that could lead to military action.
Hopefully, cooler heads will prevail to restrain such attacks from being launched in the first place, or cybersecurity teams will discover a way to thwart these attacks. Whatever the outcome, the one thing that is clear is the organizations developing these attacks are making some assumptions about the tolerance of their potential victims that in this era is likely to backfire in the most profound way possible.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.