EKANS is ransomware variant that first appeared in mid-December 2019. EKANS is distinct from other ransomware as it was written in Golang and aims to stop services and processes related to Industrial Control Systems.[1][2]

ID: S0605
Associated Software: SNAKEHOSE
Platforms: Windows
Version: 1.0
Created: 12 February 2021
Last Modified: 13 October 2021

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

EKANS uses standard encryption library functions to encrypt files.[1][2]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

EKANS stops processes related to security and management software.[1][3]

Enterprise T1490 Inhibit System Recovery

EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.[1][2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

EKANS has been disguised as update.exe to appear as a valid executable.[1]

Enterprise T1027 Obfuscated Files or Information

EKANS uses encoded strings in its process kill list.[3]

Enterprise T1057 Process Discovery

EKANS looks for processes from a hard-coded list.[1][3][4]

Enterprise T1489 Service Stop

EKANS stops database, data backup solution, antivirus, and ICS-related processes.[1][3][2]

Enterprise T1016 System Network Configuration Discovery

EKANS can determine the domain of a compromised host.[4]

Enterprise T1047 Windows Management Instrumentation

EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations.[1]