CSIRT-Italy: New cybercrime campaign to spread the EKANS ransomware. Malware has several variants, acts like a cryptolocker and also affects ICS
There is a new campaign of the EKANS ransomware, in circulation with several variants. The CSIRT-Italy cyber security experts report it. The peculiarity of malware (anagram of SNAKE) is that in addition to acting as a cryptolocker, it has features capable of forcibly stopping system processes related to the domain of Industrial Control Systems (ICS). In particular, a “kill list” of ICS processes to be terminated is encoded inside. The functioning mechanisms described seem to derive from MEGACORTEX, another malicious code of cybercrime which, in addition to ICS processes, also impacts those that implement security functions. This gives these malware a level of intentionality previously absent from ransomware of this type, thus configuring itself as a unique and specific risk for industrial systems.
Cyber security experts: Ransomware is written in Golang and at the moment there are no details on how it spreads within the affected network. Consequently, preventive measures must be implemented
EKANS ransomware had been discovered by Dragos’ cyber security experts, who had compiled a report on it. The malware was written in Golang and began to be observed in late December 2019. At the moment, however, there are no details on how the malicious code of cybercrime is spreading within the affected network. Consequently, CSIRT-Italy recommends implementing preventive measures. ICS operators are therefore strongly encouraged to redefine the extent of the possible attack surface and reconsider the new mechanisms of operation of the malware addressed to ICS systems. In particular, it would be important that they accurately record their assets and their connections within their operating environment. This is to determine the impact that a ransowmare with specific references to the ICS sector may have on related operations or processes and consequently take appropriate countermeasures.