New Ransomware Targets Industrial Control Systems

EKANS is a new ransomware that targets industrial control systems:

But EKANS also uses another trick to ratchet up the pain: It's designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. That allows it to then encrypt the data that those control system programs interact with. While crude compared to other malware purpose-built for industrial sabotage, that targeting can nonetheless break the software used to monitor infrastructure, like an oil firm's pipelines or a factory's robots. That could have potentially dangerous consequences, like preventing staff from remotely monitoring or controlling the equipment's operation.

EKANS is actually the second ransomware to hit industrial control systems. According to Dragos, another ransomware strain known as Megacortex that first appeared last spring included all of the same industrial control system process-killing features, and may in fact be a predecessor to EKANS developed by the same hackers. But because Megacortex also terminated hundreds of other processes, its industrial-control-system targeted features went largely overlooked.

Speculation is that this is criminal in origin, and not the work of a government.

It's also the first malware that is named after a Pokémon character.

Posted on February 7, 2020 at 9:42 AM • 13 Comments

Comments

NorioFebruary 7, 2020 10:47 AM

It seems to me that the folks naming ransomware are as unimaginative as those who name automobiles. I predict the next pokemon-derived ransomware name will be "Arbok."

Bruce SchneierFebruary 7, 2020 11:45 AM

@Norio:

"It seems to me that the folks naming ransomware are as unimaginative as those who name automobiles. I predict the next pokemon-derived ransomware name will be 'Arbok.'"

Well, we do know that malware evolves.

Bogo UserFebruary 7, 2020 1:16 PM

Sounds to me like a new "best practice" for such an industry (where ongoing safety related monitoring is needed) should be adding some wrap-back to their industrial controls so that they take an appropriate response when the monitors go offline.

The controls themselves may need to maintain a confirmation that the operator monitors are working, or else fail-safe themselves.

Clive RobinsonFebruary 7, 2020 1:53 PM

@ Bruce,

It's also the first malware that is named after a Pokémon character.

There is a joke that "Pokémon" came about as a name because somebody visiting the Edinburgh Festival upset a drunken Scot, who cussed him out and the "yer got lost in translation"[1].

It matters not if true or not it got laughs at the fringe.

But speaking of Edinburgh just up the coast is a strange place where they grow strawberries and other fruit and veg you would expect to be grown a degree or two south, it is Aberdeen (sheltered by Dyce).

Due to the North Sea oil/gas industry and the desire to save enourmous man power costs, automation is big up there, and Industrial Control Systems (ICS) are taught in school / college there rather more than they are else where in the UK.

ICS whilst not an extreamly rare skill is something you tend to get into from heavy or chemical engineering not CompSci, thus in comparison the number of people that know quite a bit about it and are prepared to write malware are not exactly thick on the ground.

If it is criminals it will be interesting to find out their background should they ever get caught.

I guess the question about Bahrain arises, back when stuxnet was new, it was found in strange places. Thus the question is Bahrain just some anomaly or is it a target?

To be honest it's a bit of a puzzler without further information.

[1] If people don't get the joke remember it was told by a "stand up" so just try saying "Pokémon out loud in a broad Glaswegian accent and replace the "é" with "yer".

PhaeteFebruary 8, 2020 2:32 AM

But EKANS also uses another trick to ratchet up the pain: It's designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems.


To make a (live) backup of an ICS environment you have to stop its processes (gracefully usually) but sometimes things don't stop properly and you can run a script to end the processes involved. Sounds like some scripts written to help with a backup of an ICS systems have been re-purposed.

I can't seem to find any proper code analysis for this one though.
let me rummage some more.

Random CommentFebruary 8, 2020 9:47 AM

If there is anyone on the planet who is not already aware, it's Snake backwards. With Arbok being Kobra. Making a point of always stating the obvious as in general it only takes one person not to know for things to fall apart.

I'm guessing the security services of countries who are not advanced as some others could re-purpose the code once seen for their own benefit.

GweihirFebruary 8, 2020 9:08 PM

Well, a core problem is that ransomware realized what many criminals and criminal organizations in this space have wanted for a long time: A steady, generous source of income for attacks on computers. That means that "APTs" (which are rarely "advanced", it is about them being persistent) are now something that a small group criminals or even a gifted criminal individual can do and live of decently. The restriction to nation-states we had before was merely because they were the only ones that could fund such activities. With ransomware, this type of crime does unfortunately finally pay and pay well. And let's be honest: The victims here are people and organizations that have IT security that is cheaply or badly done and that cannot even be bothered to have current, offline backups.

A consequence of the changed economics is that ransomware gets more and more solid engineering practices applied to it, and generally catches up to other well-written software. Some people are making a career now of developing these systems and unfortunately quite a few are not incompetent at all. They are also aware of past attacks and what worked and what did not and of engineering advances and solid engineering practices in this application space.

When APTs used to be nation-states, you could at least assume some level of restraint and most targets were not even interesting to them. With ransomware, that changed. Now, everybody that has bad IT security and at least looks like they could pay becomes a target. As many organizations still do IT security "cheapest possible" there are lots and lots of targets and many of them are pretty critical to society. These attackers have no restraint, which has become amply clear with the attacks on hospitals.

Hence we are now in a new phase of this arms-race: Competent, unscrupulous small groups and individuals that are hungry for a big pay-off and have real software engineering skills at their disposal are becoming the main threat. We are also in a phase were nobody is safe anymore, because the motivation for doing these attacks is the commercial angle and and the attackers do not really care about politics or world-views.

Clive RobinsonFebruary 9, 2020 6:00 AM

@ Gweihir, ALL,

And let's be honest: The victims here are people and organizations that have IT security that is cheaply or badly done and that cannot even be bothered to have current, offline backups.

You are almost singing from the same song sheet as I have for years...

The difference is in the verse about "backups" I did a proof of concept back more than two decades ago. It was to prove a point about the issues with "tick-box" backup systems.

Back then as now there were two basic ways to do backups, as a "bag of bits" drive image or as nested "containers" of "bags of bits" (ie files as containers in other containers directory etc structures). Which ment that you could backup FDE drives and encrypted files because the backup system cared not a jot about the "bag of bits" containers, as long as the bits remained in the same state.

The thing about APT being "persistent" is that it need not have a,"hit and run" payloaf, it could have a covert one that take it's time.

Thus with care an attacker could get at the OS file system drivers and put in an I/O shim. We know this because it's been done before by various attackers.

If the shim is designed to act like an "Inline Media Encryptor" (IME), then the Computer at the OS level sees plaintext and the hard drive --apart from what is required to boot the system-- sees ciphertext. The NSA has used hardware AES IME's for years for data upto and including "secret" classification because it fully protects the data on the hard drive against theft etc. Such shim software although not being hardware would be quite valuable as the core of a security product in it's own right[1].

The real trick with APT and backups is to make the backup device see ciphertext as well. Back when I did it QIC tape drives on the floppy drive interface were easy to spot as was the fact you could only run the backup program when nothing else was running on the computer.

Thus whilst I'm not aware of others doing it, encryption of the backup "tapes" as part of an APT Ransomware attack is probably the next logical step when the "low hanging fruit" of those that don't back up have been culled from the vine. It simply runs encrypting the backups for say three months before it hits the users with file lock out and a payment request, it's then that they discover their backups are not what they thought they were...

Whilst there are several ways to spot the attack as it starts encrypting the backup tapes --if you set things up correctly,-- it is something that requires not just thought and skill, but ongoing effort that can not easily be fully automated... Which means there is a "manpower cost" price that most --especially certain types of managment-- are not prepared to pay for one reason or another...

There is of course one way to stop external Ransomware getting on your computers, which is don't connect them to the Internet or any other form of external communications... But few ever even consider it.

Thus an attacker would have to be some form of "insider". Thus you have to reduce the insider threat abilities. Some work places don't have working USB slots, that is the holes are blocked and certain drivers are removed. But it's not altogether a 100% solution, because they could use a "gumstick computer" via a network port etc.

Which brings us to yhe real trick for any insider attack, that is "Getting away with it". As far as we can tell quite a few have not. Mainly I suspect because they did not plan the "setup" and "clear down" phases of their chosen "revenge" opperation for variois reasons.

That is during the "setup" phase of getting the attack together and "inside" is not tracable back to them via logs, timesheets, files on work, personal and home computers or communications systems or programing style etc. Then the clear down phase of getting any payment into their hands in ways that are likewise not tracable back to the individual.

Thus to get away with it as an insider you have to think like a criminal, plan like a forensics examiner and have a believable back cover a spy would be proud of. Part of the cover would be attacking other organisations so it looks like it was an outsider attack that "accidentally" got in some how, via say a Microsoft or other vendor software update etc.

The point being if you are good enough to do all that, why be an insider attacker unless the payday / payback is truly immense. The problem there is that beyond a certain sized payment people will come looking for you and they may not be as friendly as the police and judicial system...

As I've noted in the past the way to be a success as an internet criminal is "stay below the threshold in any one juresdiction, "and "don't dirty your doorstep" that way you can make a steady income without getting people looking for you. You also need to "blend in" being the first of any new type of attack makes you "of interest" to researchers at the very least, and you don't need or want that as the old saying has it "The leading edge, is the bleeding edge".

[1] As my father pointed out to me way back last century "If you are smart enough to be a criminal that does not get caught, then you are smart enough to earn more money honestly". It still appears to be more than true, which is one reason I keep pointing out "tools are agnostic to use". If you make a good tool then people will pay for it, especially if it is versatile enough to be sold into many market sectors.

Bob RizzoFebruary 14, 2020 7:21 AM

Why aren't ransomware attacks considered terrorist attacks and given top priority by Homeland Security, the NSA, and the CIA?

1&1~=UmmFebruary 14, 2020 10:48 AM

@Bob Rizzo:

"Why aren't ransomware attacks considered terrorist attacks"

Well for one good reason they are not "terrorist" attacks but "criminal" attacks (that is the coerced political element is missing).

But secondly there is some kind of perversion running around the US which is people using FUD to avoid admitting their own mistakes. Put simply,

    Ransomware only exists because users do not take precautions and fail to setup mitigations

It is realy that simple. There is little or nothing you can do once well thought out Ransomware turns up. That is you have two choices,

1, Loose the lot.
2, Pay up and keep your fingers crossed.

Thus the old saying or "The ship was lost for a hapenth worth of tar", appears to apply.

A Nonny BunnyFebruary 15, 2020 3:20 PM

@1&1~=Umm

Ransomware only exists because users do not take precautions and fail to setup mitigations
No, it also exists because there are people that want to exploit those short-comings for criminal gain.
Don't just blame the victim, leave some for the perpetrators.

But yes, people should realize it's a cruel world out there, and they need to take precautions; be it on the internet or in the real world.

1&1~=UmmFebruary 16, 2020 5:03 AM

@A Nonny Bunny:

"No, it also exists because there are people that want to exploit those short-comings for criminal gain."

The same is true of any other specific crime. Criminals look for a weakness and exploit it.

I said quite accurately,

    Ransomware only exists because users do not take precautions and fail to setup mitigations

You could replace 'Ransomware' with just about any other cyber-crime or physical crime and the statment would still be both valid and accurate.

Ransomware as a specific cyber crime payload exploits a particular set of avoidable weaknesses which is the point I am making.

As it currently exists the weakness it exploits is the users lack of backed up data. But it could also be a lot worse it could also attack the backup process.

"Don't just blame the victim, leave some for the perpetrators."

Criminals at the end of the day are opportunistic parasites they can only survive because of others weakness or failures. Unlike most of the parasites we see in nature criminals can adapt to changes in their environment very easily. That is they exist by actively looking for any weakness or failing in others just as most successful preditors do.

The one thing life has taught me is that we all have weaknesses or failings of some kind and especially when the two coincide we are vulnarable unless we or others take action to protect us at those times. It's the essence of what society is, we gather to gether for mutual benifit, much though others think they can stand alone, it's just not true.

The problem is how much of our resources do we devote to protecting ourselves from preditors and parasites? If we spend to much in any given area then we not just waste resources we also loose the opportunities those resources might otherwise have given us. It is thus a 'value judgment', and it has been pointed out on this blog before it is by it's nature asymmetric. That is you realy only get an indicator you are not spending enough when you get attacked, being not attacked is not an indicator of you are spending either to little or to much.

The issue is what is and is not a 'reasonable' level of resources to deploy. Well the environment is always changing so you need to be aware of that, but you also need to understand the consequences of each change and adjust accordingly. As we clearly see demonstrated in news headlines even professionals get it wrong most of the time. As they claim expertise and recieve payment for it I will say they have a degree of responsability.

But ordinary users, I would not expect to have either the knowledge or the experience to make a value judgment. Thus the people we should blaim for this is 'society' as we are not protecting our citizens in one or more ways, which I could list out but this reply has got to long as it is.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.