Skip to content


EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.12

Item Value
ID S0605
Associated Names SNAKEHOSE
Version 2.0
Created 12 February 2021
Last Modified 08 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
enterprise T1486 Data Encrypted for Impact EKANS uses standard encryption library functions to encrypt files.12
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools EKANS stops processes related to security and management software.13
enterprise T1490 Inhibit System Recovery EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.12
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location EKANS has been disguised as update.exe to appear as a valid executable.1
enterprise T1027 Obfuscated Files or Information EKANS uses encoded strings in its process kill list.3
enterprise T1057 Process Discovery EKANS looks for processes from a hard-coded list.134
enterprise T1489 Service Stop EKANS stops database, data backup solution, antivirus, and ICS-related processes.132
enterprise T1016 System Network Configuration Discovery EKANS can determine the domain of a compromised host.4
enterprise T1047 Windows Management Instrumentation EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations.1
ics T0828 Loss of Productivity and Revenue EKANS infection resulted in a temporary production loss within a Honda manufacturing plant. 7
ics T0849 Masquerading EKANS masquerades itself as a valid executable with the filename update.exe. Many valid programs use the process name update.exe to perform background software updates. 8
ics T0840 Network Connection Enumeration EKANS performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. 5
ics T0881 Service Stop Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. 6 6 EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. 5