Malware spotlight: Ekans

March 18, 2020 by

Greg Belding

Introduction

Industrial Control Systems, or ICS, have been the target of malware for some time now. Most of these threats target Windows systems and Windows processes, and aside from targeting ICS-specific processes, they are not much different from the horde of threats on that Windows XP system that you are currently using as a paperweight. 

A troubling development has been the addition of ransomware to the list of threats that target ICS. Recently, a new ICS-specific ransomware threat has been discovered: Ekans. 

This article will detail the Ekans malware and explore what it is, what makes Ekans different from other ICS threats and how it works, as well as how it can be prevented. 

As a general comment about threats like these, we should all be concerned about ICS threats. Failure of critical infrastructure to have proper information security in place will result in damage to society immeasurably worse than if your personal PC becomes infected.

What is Ekans?

Ekans, or snake spelled backwards, is a new type of ransomware that targets ICS systems. Discovered in December of 2019, Ekans is the second type of ransomware designed for ICS. The first ICS ransomware to appear in the wild was MEGACORTEX, a small malware family with both ransomware and disk wiper capabilities that has some dedicated ICS-specific characteristics. 

The good news is that malware researchers have described Ekans as less of a threat than MEGACORTEX. But despite this opinion, all ICS threats should be treated as serious due to the destruction it can cause to society. Just imagine the chaos that will ensue if critical infrastructure goes down due to poor security measures!

What makes Ekans different from other ICS-specific threats?

Until recently, threat actors responsible for ICS-specific threats have been state-sponsored. This means that the motivation has been based on nation-state interests and not so much for personal gain. Ekans has changed the game in this regard: it is the first ICS-specific threat that is used by private cybercriminals. This means that financial gain is most likely the main motive and other private cybercriminal groups and organizations may follow suit, making these attacks more commonplace. 

Another, more whimsical, fact about Ekans is that it is the first ICS-specific malware to be named after a Pokemon character.

How does Ekans work?

Ekans is notable for being very aggressive, according to malware researchers. Part of this is because it does not target individual systems but rather entire networks. Instead of spreading the way that other ransomware does, it is introduced to targeted ICSes by manual propagation. This means that the main infection vector is malicious email attachments. 

Once an ICS has been infected, Ekans exploits poorly secured and unpatched services to begin its attack. It can seed itself across an entire network via script.

After infection, Ekans begins working through what is called a “kill list” of processes typically associated with ICS. If these processes are found, they are terminated. These processes have been described as the “guts” of ICS and affect widely-used software and programs, including GE’s Proficy software, ThingWorx monitoring and management software and a Honeywell control interface program. 

This hard-coded kill list is not as extensive as that of MEGACORTEX, but Ekans is still a serious threat. This list includes the following processes:

• bluestripecollector.exe: BlueStripe Data Collector
• ccflic0.exe: Proficy licensing
• ccflic4.exe: Proficy licensing
• cdm.exe: Nimsoft-related
• certificateprovider.exe: Ambiguous
• client.exe: Ambiguous
• client64.exe: Ambiguous
• collwrap.exe: BlueStripe data collector
• config_api_service.exe: ThingWorx Industrial Connectivity suite, ambiguous
• dsmcsvc.exe: Tivoli Storage Manager client
• epmd.exe: RabbitMQ Server (SolarWinds)
• erlsrv.exe: Erlang
• fnplicensingservice.exe: FLEXNet Licensing Service
• hasplmv.exe: Sentinel HASP License Manager
• hdb.exe: Honeywell HMIWeb
• healthservice.exe: Microsoft SCCM
• ilicensesvc.exe: GE FANUC licensing
• inet_gethost.exe: Erlang
• keysvc.exe: Ambiguous
• managementagenthost.exe: VMWare CAF Management Agent service
• monitoringhost.exe: Microsoft SCCM
• msdtssrvr.exe: Microsoft SQL Server Integration Service
• msmdsrv.exe: Microsoft SQL Server Analysis Services
• musnotificationux.exe: Microsoft Update Notification Service
• n.exe: Ambiguous
• nimbus.exe: Broadcom Nimbus
• npmdagent.exe: Microsoft OMS Agent
• ntevl.exe: Nimsoft Monitor
• ntservices.exe: Ambiguous
• pralarmmgr.exe: Proficy-related
• prcalculationmgr.exe: Proficy Historian Data Calculation Service
• prconfigmgr.exe: Proficy-related
• prdatabasemgr.exe: Proficy-related
• premailengine.exe: Proficy-related
• preventmgr.exe: Proficy-related
• prftpengine.exe: Proficy-related
• prgateway.exe: Proficy Secure Gateway
• prlicensemgr.exe: Proficy License Server Manager
• proficy administrator.exe: Proficy-related
• proficyclient.exe: Proficy-related
• proficypublisherservice.exe: Proficy-related
• proficyserver.exe: Proficy Server
• proficysts.exe: Proficy-related
• prprintserver.exe: Proficy-related
• prproficymgr.exe: Proficy Plant Applications
• prrds.exe: Proficy Remote Data Service
• prreader.exe: Proficy Historian Data Calculation Service
• prrouter.exe: Proficy-related
• prschedulemgr.exe: Proficy-related
• prstubber.exe: Proficy-related
• prsummarymgr.exe: Proficy-related
• prwriter.exe: Proficy Historian Data Calculation Service
• reportingservicesservice.exe: Microsoft SQL Server Reporting Service
• server_eventlog.exe: Proficy Event Log Service, ambiguous
• server_runtime.exe: Proficy-related, ambiguous
• spooler.exe: Ambiguous
• sqlservr.exe: Microsoft SQL Server
• taskhostw.exe: Windows OS
• vgauthservice.exe: VMWare Guest Authentication Service
• vmacthlp.exe: VMWare Activation Helper
• vmtoolsd.exe: VMWare Tools Service
• win32sysinfo.exe: RabbitMQ
• winvnc4.exe: WinVNC client
• workflowresttest.exe: Ambiguous

If these processes are terminated on the right system, the system would no longer present ICS plant staff with an accurate view condition, which would be fatal to ICS functionality. Service disruption would be almost imminent. 

Once infection is complete, the compromised ICS would have their files encrypted. Users would be prompted with a note on their monitor saying that their files have been encrypted, and the ransom demand is usually in the millions of dollars.

Prevention

The good thing is that Ekans is fairly easy to prevent. Below are some straightforward tips toward helping to ensure it will not happen to your organization’s ICS:

• The number one recommendation is to become educated on cybersecurity risk. Not downloading malicious or even just strange email attachments is cybersecurity risk training 101, and all plant staff should be aware of this
• Use email content filtering and scanning
• Ensure files are backed up and easily accessible for recovery. This may require implementing a backup and recovery plan if one is not already in place
• Ensure that devices and services are patched and secured

Conclusion

Ekans was just recently discovered and is the first ICS-specific malware to be designed by private cybercriminals. It works by attacking the “guts” of widely-used ICS implementations and if it infects the right system, it will slowly kill vital processes and encrypt files on the network. With this said, mainstream cyber risk training will prevent the vast majority of infections and keep our critical infrastructure safe from this threat.

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

Sources

1. EKANS Ransomware Raises Industrial-Control Worries, Dark Reading
2. Snake/EKANS Ransomware Attacks Industrial Control Systems, Acronis
3. Attackers Target Industrial Control Systems with EKANS Ransomware, CISO Mag
4. Ransomware Targeting Industrial Control Systems Gets More Sophisticated, Barracuda