1. Home
  2. Software
  3. EKANS

EKANS

EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.[1][2]

ID: S0605
Associated Software: SNAKEHOSE
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 12 February 2021
Last Modified: 08 March 2023
Version Permalink

Associated Software Descriptions

Name Description
SNAKEHOSE

[3]
Enterprise Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

EKANS uses standard encryption library functions to encrypt files.[1][2]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

EKANS stops processes related to security and management software.[1][3]
Enterprise T1490 Inhibit System Recovery

EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.[1][2]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

EKANS has been disguised as update.exe to appear as a valid executable.[1]
Enterprise T1027 Obfuscated Files or Information

EKANS uses encoded strings in its process kill list.[3]

Enterprise T1057 Process Discovery

EKANS looks for processes from a hard-coded list.[1][3][4]
Enterprise T1489 Service Stop

EKANS stops database, data backup solution, antivirus, and ICS-related processes.[1][3][2]
Enterprise T1016 System Network Configuration Discovery

EKANS can determine the domain of a compromised host.[4]
Enterprise T1047 Windows Management Instrumentation

EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations.[1]
ICS T0828 Loss of Productivity and Revenue

EKANS infection resulted in a temporary production loss within a Honda manufacturing plant. [5]
ICS T0849 Masquerading

EKANS masquerades itself as a valid executable with the filename update.exe. Many valid programs use the process name update.exe to perform background software updates. [6]
ICS T0840 Network Connection Enumeration

EKANS performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. [7]
ICS T0881 Service Stop

Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. [8] [8] EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. [7]

References

  1. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
  2. Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.
  3. Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.
  4. Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
  1. Davey Winder 2020, June 10 Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations Retrieved. 2021/04/12
  2. Dragos Threat Intelligence 2020, February 03 EKANS Ransomware and ICS Operations Retrieved. 2021/04/12
  3. Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12
  4. Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12