Skip to content


EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.12

Item Value
ID S0605
Associated Names SNAKEHOSE
Version 2.0
Created 12 February 2021
Last Modified 21 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
enterprise T1486 Data Encrypted for Impact EKANS uses standard encryption library functions to encrypt files.12
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools EKANS stops processes related to security and management software.13
enterprise T1490 Inhibit System Recovery EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.12
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location EKANS has been disguised as update.exe to appear as a valid executable.1
enterprise T1027 Obfuscated Files or Information EKANS uses encoded strings in its process kill list.3
enterprise T1057 Process Discovery EKANS looks for processes from a hard-coded list.134
enterprise T1489 Service Stop EKANS stops database, data backup solution, antivirus, and ICS-related processes.132
enterprise T1016 System Network Configuration Discovery EKANS can determine the domain of a compromised host.4
enterprise T1047 Windows Management Instrumentation EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations.1


Back to top