EKANS

EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.[1][2]

ID: S0605
Associated Software: SNAKEHOSE
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 12 February 2021
Last Modified: 08 March 2023

Associated Software Descriptions

Name Description
SNAKEHOSE

[3]

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

EKANS uses standard encryption library functions to encrypt files.[1][2]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

EKANS stops processes related to security and management software.[1][3]

Enterprise T1490 Inhibit System Recovery

EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.[1][2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

EKANS has been disguised as update.exe to appear as a valid executable.[1]

Enterprise T1027 Obfuscated Files or Information

EKANS uses encoded strings in its process kill list.[3]

Enterprise T1057 Process Discovery

EKANS looks for processes from a hard-coded list.[1][3][4]

Enterprise T1489 Service Stop

EKANS stops database, data backup solution, antivirus, and ICS-related processes.[1][3][2]

Enterprise T1016 System Network Configuration Discovery

EKANS can determine the domain of a compromised host.[4]

Enterprise T1047 Windows Management Instrumentation

EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations.[1]

ICS T0828 Loss of Productivity and Revenue

EKANS infection resulted in a temporary production loss within a Honda manufacturing plant. [5]

ICS T0849 Masquerading

EKANS masquerades itself as a valid executable with the filename update.exe. Many valid programs use the process name update.exe to perform background software updates. [6]

ICS T0840 Network Connection Enumeration

EKANS performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. [7]

ICS T0881 Service Stop

Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. [8] [8] EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. [7]

References