S0605 EKANS
EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.12
| Item | Value |
|---|---|
| ID | S0605 |
| Associated Names | SNAKEHOSE |
| Type | MALWARE |
| Version | 2.0 |
| Created | 12 February 2021 |
| Last Modified | 08 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| SNAKEHOSE | 3 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1486 | Data Encrypted for Impact | EKANS uses standard encryption library functions to encrypt files.12 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | EKANS stops processes related to security and management software.13 |
| enterprise | T1490 | Inhibit System Recovery | EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.12 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | EKANS has been disguised as update.exe to appear as a valid executable.1 |
| enterprise | T1027 | Obfuscated Files or Information | EKANS uses encoded strings in its process kill list.3 |
| enterprise | T1057 | Process Discovery | EKANS looks for processes from a hard-coded list.134 |
| enterprise | T1489 | Service Stop | EKANS stops database, data backup solution, antivirus, and ICS-related processes.132 |
| enterprise | T1016 | System Network Configuration Discovery | EKANS can determine the domain of a compromised host.4 |
| enterprise | T1047 | Windows Management Instrumentation | EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations.1 |
| ics | T0828 | Loss of Productivity and Revenue | EKANS infection resulted in a temporary production loss within a Honda manufacturing plant. 7 |
| ics | T0849 | Masquerading | EKANS masquerades itself as a valid executable with the filename update.exe. Many valid programs use the process name update.exe to perform background software updates. 8 |
| ics | T0840 | Network Connection Enumeration | EKANS performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. 5 |
| ics | T0881 | Service Stop | Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. 6 6 EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. 5 |
References
-
Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021. ↩↩↩↩↩↩↩↩
-
Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021. ↩↩↩↩
-
Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021. ↩↩↩↩↩
-
Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021. ↩↩
-
Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ↩↩
-
Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12 ↩↩
-
Davey Winder 2020, June 10 Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations Retrieved. 2021/04/12 ↩
-
Dragos Threat Intelligence 2020, February 03 EKANS Ransomware and ICS Operations Retrieved. 2021/04/12 ↩