2 min Security

Ekans-ransomware targets industrial control systems

Ekans-ransomware targets industrial control systems

Cybercriminals have launched ransomware attacks specifically targeting Industrial Control Systems (ICS). According to researchers, this is the first case of malware that encrypts data in those environments.

A new report by security company Dragos shows that Ekans, or also Snake, as the ransomware is called, came to the fore in December 2019. The malware is designed to attack Windows systems used in industrial environments.

The researchers state that Ekans contains a list of commands and processes that relate to a number of functions that occur specifically in industrial control systems. These commands and processes are aimed at disabling these functions.

Evolution in malware

Although the functionality is described as limited, the analysis of the researchers shows that it is “a deeply concerning evolution in ICS-targeting malware”. This is because it indicates that cybercriminals are now directly targeting ICS systems, purely for financial gain. A number of malware attacks from state actors were previously known, but now the problem is also spreading to ‘ordinary’ e-crime actors.

Encrypted files get a new name, with a random file extension of five characters, and victims get a ransom letter with an e-mail address. They then have to contact the adress to negotiate the ransom, which has to be paid in cryptocurrency.

According to ZDNet, the way in which Ekans is specifically designed to target ICS indicates that the attackers have a specific target in mind. They will, therefore, probably take ample time to penetrate targets that are relevant to their plans.

“The ICS-specific nature of the targeted processes indicates an evolving brazenness,” Joe Slowik of Dragos said to ZDNet. “While not deliberately destructive, lack of context and victim environment issues could mean Ekans or similar malware terminating industrial-related processes could cause an inadvertent physical effect. The willingness to accept this possibility is deeply concerning.”