EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.
|Enterprise||T1486||Data Encrypted for Impact|
|Enterprise||T1562||.001||Impair Defenses: Disable or Modify Tools|
|Enterprise||T1490||Inhibit System Recovery|
|Enterprise||T1036||.005||Masquerading: Match Legitimate Name or Location|
|Enterprise||T1027||Obfuscated Files or Information|
|Enterprise||T1016||System Network Configuration Discovery|
|Enterprise||T1047||Windows Management Instrumentation|
|ICS||T0828||Loss of Productivity and Revenue|
|ICS||T0840||Network Connection Enumeration|
Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list.   EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device.