Mysterious New Ransomware Targets Industrial Control Systems

EKANS appears to be the work of cybercriminals, rather than nation-state hackers—a worrying development, if so.
An oil plant at dusk
Photograph: Getty Images

Only a few times in the history of hacking has a piece of malicious code been spotted attempting to meddle directly with industrial control systems, the computers that bridge the gap between digital and physical systems. Those rare specimens of malware have destroyed nuclear enrichment centrifuges in Iran and caused a blackout in Ukraine. Now, a malware sample has surfaced that uses specific knowledge of control systems to target them with a far blunter, and more familiar, tactic: Kill the target's software processes, encrypt the underlying data, and hold it hostage.

Over the last month, researchers at security firms including Sentinel One and Dragos have puzzled over a piece of code called Snake or EKANS, which they now believe is specifically designed to target industrial control systems, the software and hardware used in everything from oil refineries to power grids to manufacturing facilities. Much like other ransomware, EKANS encrypts data and displays a note to victims demanding payment to release it; the name comes from a string it plants as a file marker on a victim computer to identify that its files have already been encrypted.

But EKANS also uses another trick to ratchet up the pain: It's designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. That allows it to then encrypt the data that those control system programs interact with. While crude compared to other malware purpose-built for industrial sabotage, that targeting can nonetheless break the software used to monitor infrastructure, like an oil firm's pipelines or a factory's robots. That could have potentially dangerous consequences, like preventing staff from remotely monitoring or controlling the equipment's operation.

EKANS is actually the second ransomware to hit industrial control systems. According to Dragos, another ransomware strain known as Megacortex that first appeared last spring included all of the same industrial control system process-killing features, and may in fact be a predecessor to EKANS developed by the same hackers. But because Megacortex also terminated hundreds of other processes, its industrial-control-system targeted features went largely overlooked.

It's not yet clear if responsibility for the industrial-targeted ransomware lies with state-sponsored hackers—seeking to create disruption and cover their tracks with a ransomware ruse—or actual cybercriminals seeking to make a profit. But Vitali Kremez, a researcher at Sentinel One who first publicized the discovery of EKANS earlier this month along with a group of researchers known as Malware Hunter Team, argues that industrial control systems make natural targets for ransomware attackers. Like hospitals and governments, they have a disproportionate amount to lose if they go offline.

"These industrial control system machines are some of the most high-value targets," says Kremez. "There's lots of urgency, and data availability is at the core of the mission. So there's a lot of incentive to pay the attackers."

Industrial firms have certainly been hit with run-of-the-mill Windows-focused ransomware in the past, such as the disastrous cyberattack on Norwegian aluminum firm Hydro Norsk last year. But EKANS and Megacortex go a step further, into the technical guts of industrial control systems. Among the dozens of processes it terminates are those used by GE's Proficy software—a "data historian" program that keeps records of operational information in industrial settings—as well as the mechanism that checks for a customer's paid license for GE's Fanuc automation software, the monitoring and management software Thingworx, and a control interface program sold by Honeywell.

"By virtue of taking out this functionality, you won't necessarily cause the plant to come to a screeching halt, but you’ll decrease the victim’s visibility and understanding of their environment," says Joe Slowik, a researcher who analyzed the EKANS and Megacortex malware for ICS security firm Dragos. But Slowik also notes that it's not easy to predict how GE's Fanuc software handles a disruption of its licensing checks, which depend on the industry and specific customer setup. If the automation software is configured such that it can't function without a license, that could lead to more serious consequences. "If killing the licensing server results in operators no longer being able to operate certain machines, that could produce a loss-of-control situation that could become dangerous," Slowik says.

Sentinel One says the list of EKANS victims likely includes Bapco, Bahrain's national oil company. The security firm received a copy of the EKANS malware from a customer in the Middle East, who had obtained it from another organization's infected network in Bahrain, Sentinel One's Kremez says. And at least one version of the ransom message displayed by the malware asks victims to email the extortionists at the address bapcocrypt@ctemplar.com. (Bapco didn't respond to WIRED's request for comment.) But Dragos' Slowik points out that Fanuc automation software targeted by EKANS is typically used to manage equipment in manufacturing facilities, not oil firms. "This implies there are other victims out there," Slowik says.

Based in part on the likely targeting of Bapco, Israeli security firm Otorio last week claimed that EKANS was in fact the work of Iranian state-sponsored hackers. Bapco was, after all, reportedly hit with a piece of Iranian wiper malware known as Dustman in late December, just days before the US assassination of Iranian general Qassem Soleimani raised tensions with Iran to the breaking point.

But Monday's report from Dragos contradicts that analysis, pointing out that there's no evidence connecting the Dustman and EKANS attacks. Slowik points out EKANS' shared traits with Megacortex as evidence that its motivation is criminal rather than political. Megacortex spread far more widely than EKANS, and has been broadly considered to be criminal ransomware. Since the two malware samples appear to have a shared creator, that suggests the have the same intent.

If EKANS isn't the work of state-sponsored hackers—Iranian or otherwise—that would make it even more significant by some measures. Along with Megacortex, it would represent the first-ever industrial control system malware deployed by non-state cybercriminals. After all, ICS malware has in the past been limited to highly sophisticated intelligence agencies, like the NSA and Israeli intelligence hackers who created Stuxnet to sabotage Iran's nuclear enrichment program starting in 2007, or Russia's Sandworm hackers who used an automated tool called Industroyer or Crash Override to turn off electricity to Kiev in 2016.

EKANS could signal that industrial hacking tactics are proliferating to common criminals. "It implies an increasing willingness and ability of non-state actors to significantly impact or impair critical infrastructure entities," says Slowik. As disturbing as the idea of Iranian hackers waging cyberwar on its neighbors' physical infrastructure may be, the prospect of criminal hackers making a business of breaking those systems for profit may be even worse.


More Great WIRED Stories