Critical Industrial Control Systems on Target Again - Its Snake Ransomware This Time

Since the past few years, many threat actors have been focusing on developing specialized attack vectors to target specific industries rather than general-purpose malware. EKANS ransomware has been one such malware, that is being developed for targeting Industrial Control Systems (ICS) since January.

EKANS ransomware - a lucrative tool for threat actors

Recently, a FortiGuard Labs report analyzed Industrial Control Systems/Operational Technology as the latest industry targeted with Ekans (aka Snake) ransomware. The report also revealed the new techniques used to attack critical ICS systems.
  • The GO programming language was used to write the two latest variants of this malware identified in May and June, which makes the malware analysis more difficult for the researchers.
  • These variants perform high-level activities in sequence like target environment confirmation, host firewall isolation, public RSA Key decode, shadow copy deletion, file encryption, and then turning off the host firewall (the newest addition to the malware family’s functionality).

Recent ICS attack campaigns

Attackers have been frequently targeting ICS in the past several months.
  • In March, Kwampirs (aka Orangeworm) threat group infected software supply chain vendors including products used to manage ICS assets and gained access to a large number of global hospitals.
  • In February, EKANS malware targeted ICS and encrypted its data, displaying a ransom note demanding payment. The malware terminated 64 different software processes, allowing it to encrypt all files.

Tactics, techniques, and procedures (TTPs)

The ICS-targeting adversaries have shifted their TTPs over years.
  • Threat actors targeting the industrial system usually exhibit some typical TTPs, like exploiting remote services, moving laterally across networks, disabling or modifying cybersecurity tools, and use of credential dumps.
  • Instead of relying on the ICS-focused custom-built tools, attackers are using living off the land techniques for most of their actions and deploying the malware only at the final stages.