New ransomware doesn’t just encrypt data. It also meddles with critical infrastructure

[Karlston]

New ransomware doesn’t just encrypt data. It also meddles with critical infrastructure

Ekans represents a "new and deeply concerning" evolution in malware targeting control systems.

Enlarge

An Energy Company / Flickr

Over the past five years, ransomware has emerged as a vexing menace that has shut down factories, hospitals, and local municipalities and school districts around the world. In recent months, researchers have caught ransomware doing something that's potentially more sinister: intentionally tampering with industrial control systems that dams, electric grids, and gas refineries rely on to keep equipment running safely.

 

A ransomware strain discovered last month and dubbed Ekans contains the usual routines for disabling data backups and mass-encrypting files on infected systems. But researchers at security firm Dragos found something else that has the potential to be more disruptive: code that actively seeks out and forcibly stops applications used in industrial control systems. Before starting file-encryption operations, the ransomware kills processes listed by process name in a hard-coded list within the encoded strings of the malware.

 

In all, Ekans kills 64 processes, including those spawned by human-machine interfaces from Honeywell, the Proficy Historian from General Electric, and licensing servers from GE Fanuc. The same 64 processes, it turns out, are targeted in a version of the MegaCortex ransomware. That version first came to light in August.

ICS-specific functionality

By ceasing operations at hospitals, factories, and other mission-critical environments, ransomware has always represented a threat to safety. But the resulting damage remained largely contained to IT systems inside targeted networks. Unless the ransomware made an unexpected jump to ICS networks—which are usually segregated and better fortified—the likelihood of disrupting sensitive industrial systems seemed remote. In a post published on Monday, Dragos researchers wrote:

Ekans (and apparently some versions of MegaCortex) shift this narrative as ICS-specific functionality is directly referenced within the malware. While some of these processes may reside in typical enterprise IT networks, such as Proficy servers or Microsoft SQL servers, inclusion of HMI software, historian clients, and additional items indicates some minimal, albeit crude, awareness of control system environment processes and functionality.

Monday's report described Ekans's ICS targeting as minimal and crude because the malware simply kills various processes created by widely used ICS programs. That's a key differentiator from ICS-targeting malware discovered over the past few years with the ability to do much more serious damage. One example is Industroyer, the sophisticated malware that caused a power outage in Ukraine in December 2016 in a deliberate and well-executed attempt to leave households without electricity in one the country's coldest months.

 

Another example is Trisis (aka Triton), which deliberately tampered with systems that were designed to prevent health- and life-threatening accidents inside a critical infrastructure facility in the Middle East. Other examples include the Stuxnet worm that targeted Iran's nuclear program a decade ago, the BlackEnergy malware used to create a regional blackout in Ukraine in December 2015 (a year before the Industroyer incident), and espionage malware known as Havex, which targeted 2,000 industrial sites with code that mapped out industrial equipment and devices.

 

Industroyer, Trisis, and the other examples contained code that surgically and painstakingly tampered with, mapped, or dismantled certain highly sensitive functions inside the critical infrastructure sites they targeted. Ekans and MegaCortex, by contrast, simply kill processes spawned by ICS software. It remains unclear precisely what effect the killing of those processes would have on the safety of operations inside infected facilities.

 

Another reason Dragos considers Ekans to be a "relatively primitive attack" is that the ransomware has no mechanism to spread. That makes Ekans much less of a threat than ransomware such as Ryuk, which quietly collects credentials for months on infected systems so it can eventually proliferate widely through almost all parts of a targeted network.

 

Monday's post also challenged recent reporting that Ekans, which also goes by the name Snake, was created by Iran. The report, which was based on research findings from security firm Otorio, cited similarities to previously known Iranian malware and operations. Dragos researchers said that the firm "finds any such link to be incredibly tenuous based upon available evidence."

 

Despite the lack of sophistication and no established links to nation states, Ekans warrants serious attention by organizations with ICS operations.

 

"While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static 'kill list' shows a level of intentionality previously absent from ransomware targeting the industrial space," Dragos researchers wrote. "ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics."

 

 

Source: New ransomware doesn’t just encrypt data. It also meddles with critical infrastructure (Ars Technica)  

[zanderthunder]

Most companies have adopted isolation-based security to prevent malwares from spreading. But on seeing this, the IT and security team need to be more aware of this as malwares are now evolved.

[duddy]

Mysterious New Ransomware Targets Industrial Control Systems

 

Only a few times in the history of hacking has a piece of malicious code been spotted attempting to meddle directly with industrial control systems, the computers that bridge the gap between digital and physical systems. Those rare specimens of malware have destroyed nuclear enrichment centrifuges in Iran and caused a blackout in Ukraine. Now, a malware sample has surfaced that uses specific knowledge of control systems to target them with a far blunter, and more familiar, tactic: Kill the target's software processes, encrypt the underlying data, and hold it hostage.

 

Over the last month, researchers at security firms including Sentinel One and Dragos have puzzled over a piece of code called Snake or EKANS, which they now believe is specifically designed to target industrial control systems, the software and hardware used in everything from oil refineries to power grids to manufacturing facilities. Much like other ransomware, EKANS encrypts data and displays a note to victims demanding payment to release it; the name comes from a string it plants as a file marker on a victim computer to identify that its files have already been encrypted.

 

But EKANS also uses another trick to ratchet up the pain: It's designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. That allows it to then encrypt the data that those control system programs interact with. While crude compared to other malware purpose-built for industrial sabotage, that targeting can nonetheless break the software used to monitor infrastructure, like an oil firm's pipelines or a factory's robots. That could have potentially dangerous consequences, like preventing staff from remotely monitoring or controlling the equipment's operation.

 

EKANS is actually the second ransomware to hit industrial control systems. According to Dragos, another ransomware strain known as Megacortex that first appeared last spring included all of the same industrial control system process-killing features, and may in fact be a predecessor to EKANS developed by the same hackers. But because Megacortex also terminated hundreds of other processes, its industrial-control-system targeted features went largely overlooked.

 

Source

[Karlston]

Similar topics merged.