The EKANS ransomware which is known as Snake is one of the most prolific hacking tools which are used in large-scale and targeted campaigns against industrial plants. A recently discovered hacking offensive has uncovered that this malware is once again being used against Industrial control systems and related facilities.
EKANS (SNAKE) Ransomware Hits Industrial Facilities in a New Attack
The Snake ransomware which is also known as EKANS due to the extension it applies to the target data on the infected devices. It appears that virus samples have been discovered in ongoing attacks – both in end of May and in June. The virus is written in the GO programming language which has become popular with malware creators.
Programmers like to use it because it is very convenient to compile to different platforms – a single code selection can be run through the compiler and the generated samples will work across multiple platforms, including the IoT and control devices used in production facilities and critical industries. One of the characteristics of the EKANS ransomware is that their samples are of a relatively large size. This means that malware analysis will be made more difficult. It seems that the hackers behind the EKANS ransomware are once again targeting production facilities as this was done with the Honda attack.
The virus code is heavily obfuscated which means that most security engines will not be able to detect its presence. It is also rather complex containing over 1200 strings and includes a lot of advanced features that have not been found across the older variants:
- Confirmation of the target environment
- Isolation of the installed host firewall which will disable the security measures
- Automatic decoding of the RSA keys during the encryption process
- The ability to start and stop processes and services running on the compromised devices
- Removal of Shadow Volume Copies and Backups
- Files Encryption
- Disabling of the Host Firewall
The newer version of the EKANS ransomware will also contain the ability to identify the machine role of the hosts. This is done by classifying it as the one of the several working roles: 0 – Standalone Workstation, 1 – Member Workstation, 2 – Standalone Server, 3 – Member Server, 4 – Backup Domain Controller, 5 – Primary Domain Controller.
The EKANS ransomware also includes the ability to disable other security features — it can detect if there are any installed virtualization software, sandbox environments and other related applications and disable or entirely remove them.
At the moment the reports do not indicate which well-known companies have been impacted. However given the fact that the attacks are ongoing it is very possible that a major company might be hit soon if adequate measures are not taken. Such ransomware will not only be used to extort the victims for cash payment, but also for sabotage purposes as well.