Targeted Attacks on Industrial Control Systems

By Edgar Namoca on October 15, 2020

(By: Edgar Namoca on September 3, 2020)

Introduction

On June 8, 2020 Honda of Japan was a victim of the snake ransomware attack also known as EKANS[2].  EKANS is a Windows ransomware that adversaries use to target industrial Control Systems (ICS) systems.  It got this name because the malware will append the work EKANS to the end of every file that it encrypts [1].  EKANS was originally called the snake malware because EKANS is snake spelled backwards.  EKANS also happens to be the name of a Pokémon.  This ransomware will not only encrypt important files on computer, but it will also shut down and kill specifically listed process in a system.  This malware is like MegaCortex a ransomware found August 2019 that was researched by Accenture iDefense which showed adversaries had in depth knowledge of operations management software [4].  No specific nation state or hacker group has claimed or been associated with both malwares mentioned. 

Effect

There are other malwares that attempt to shut down processes like firewalls, antivirus, and other process that may hinder its ability to run.  However, EKANS specifically targets Industrial Control Systems (ICS).  Many critical infrastructures require ICS to operate.   Hospitals, energy distribution plants, and critical manufacturing are critical infrastructure workforces that have been affected by EKANS [2].  Applications affected by EKANS are General Electric’s Proficy data historian and automation software, FLEXNet licensing server instance, and Honeywell’s HMIWeb application [2].  Other companies that were affected by EKANS were multinational energy company Enel [2], and Fresenius, Europe’s largest private hospital [3].  All the companies affected by EKANS reportedly lost the ability to operate for 24 hours.  In public statements from Honda of Japan no personal identification information was leaked during the attack. 

Function

EKANS is malware that is modified and adjusted for each target.  Each capture of the EKANS malware that was decoded has had domain names coded into the malware.  After EKANS finds its way onto a computer and begins to run It will check if EKANS is already running on the computer.  If EKANS is found the program will stop if EKANS is not found, then the malware will continue going through its processes [3].  EKANS will then attempts to resolve the specific addresses written in its code.  In Hondas case the domain that it resolved was mds.honda.com.  This domain is only accessible though their company intranet.  If EKANS can resolve the address it will begin to kill processes related to antiviruses, firewalls, and any security measures that could stop it from operating [3].  This ransomware will then delete any shadow copies or snapshots of the computer.  It will then begin encrypting files with AES-256 and RSA-2048 algorithms [3].  After it is finished encrypting the victim’s files it will being kill process that are listed.  There many processes listed however typos caused many of the attempts to fail and in Hondas situation only 11 processes were successfully stopped [3].  After this the malware will then place a file on the desktop of the computer named Fix-Your-Files.txt.  This file contains the ransom note asking for money to be provided a decrypting tool [1].

Importance

EKANS is important to ICS because it is a malware that cannot be related to a nation state or a well know hacker group yet.  There has been a rise in attacks on ICS systems in 2020 EKANS shows that this rise in attacks also comes from smaller or less known adversary groups.  EKANS targets critical infrastructure that depend on ICS and operation technologies to autonomously run operations and keep people alive.  This also shows that adversaries are starting to attack business that are more likely to pay a ransom to avoid a catastrophic failure that could harm people or cause business to lose millions of dollars.  The adversaries of EKANS do not aim to harm or kill people however their attacks on critical infrastructure creates the opportunity for it to happen.   With the current pandemic and stay at home orders being put in place for companies this could cause business to enable services for employees to work remotely.  This only increases the attack surface that adversaries will attack.  Things like operational technology may suddenly be added to the internet or unsecure networks without proper security being implemented due to the high need for availability in ICS.

Mitigation

Implement and ensure robust Network Segmentation between IT and OT networks to limit the ability of adversaries to pivot to OT networks if an IT network is compromised.
Disable Unneeded services.
Update and patch systems regularly.
Create a DMZ that eliminates unregulated communications between IT and OT networks.
Require Multi-Factor Authentications to remotely access networks
Implement redundancy  of data backups.
Enable strong spam filters to prevent phishing emails.
Create and enforce user training.
Filter network traffic to prevent users from accessing malicious websites with URL white and Black listing.

References

[1]https://www.zdnet.com/article/europes-largest-private-hospital-chain-struck-by-ransomware-attack/

[2] https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/

[3]https://www.forescout.com/company/blog/ekans-windows-ransomware-gets

[4] https://www.zdnet.com/article/europes-largest-private-hospital

Related Posts