EKANS strikes again: large organizations taken down by ransomware
After we first reported on the EKANS ransomware back in February there have been three big new developments. First, a large hospital operator was hit by the malware and had its operations disrupted and patient data leaked online. Second, the malware forced a large automotive manufacturer to shut down some of its factories worldwide, as well as customer and financial services. Third, the malware is believed to have hit the IT network of an energy distribution company in Argentina. In the third case, the attack has been confirmed, but not the malware used; the disruption (which did not affect critical systems) was related to containment and eradication measures taken by their response team after a ransomware was identified by an antivirus.
What is known about the ransomware and these new attacks?
EKANS (also previously called Snake) is a Windows ransomware with ICS-specific targets that was first publicly discussed in January 2020. It identifies processes to be terminated on a target machine, some of which are related to SCADA and ICS systems, and can encrypt data used by ICS and other operations. It is also known to be similar to the MegaCortex malware identified in August 2019.
The samples supposedly used on the recent attacks have been shared on Twitter and analyzed by the MalwareBytes Threat Intelligence Team. The main findings of that analysis are:
- the new variants used hardcoded internal domains of both companies.
- both companies had Windows machines with Internet-accessible Remote Desktop Protocol (RDP) servers, which is a favorite infection method among malware developers nowadays. This may have been the entry point for the malware, although it cannot be confirmed by the analysts. Another potential entry point cited was a new SMB vulnerability called SMBleed (CVE-2020-1206).
Kaspersky analyzed further samples of the malware and confirmed that each sample includes a specific domain name and IP address. They also found that encryption only happens when the IP address embedded in the malware’s code and resolved from DNS match, meaning that each sample is specifically targeted to affect only one company and is compiled after the attackers have internal knowledge of the organization, indicating a multi-stage attack.
How to protect your network?
The usual recommendations of patching devices (both IT and OT) to avoid infection and segmenting networks to avoid lateral movement that can impact operations still apply. In the case of ransomware, backups are also crucial to restore operations. Both eyeSight and SilentDefense can detect vulnerable devices, while eyeSegment can be used to assess existing segmentation hygiene and continuously ensure proper network segmentation (see it in action).
On top of that, monitoring the network to detect initial infection and the presence of malware before it reaches its target can avoid further consequences, as we can see in the example of Enel.
SilentDefense can detect brute force attacks on RDP servers that use popular tools, such as Hydra and Ncrack, as shown in the figure below.
SilentDefense also has a dedicated database of Indicators of Compromise (IoC) that detect malicious file transfers inside the network – among other signals that can be detected, such as communication with blacklisted IPs and domains. In this database, we have two entries for MD5 hashes of specific files known to be used by the EKANS malware: 3d1cc4ef33bad0e39c757fce317ef82a and 53dddbb304c79ae293f98e0b151c6b28.
This allows SilentDefense to detect malicious files traversing the network and alert users of their presence, as shown in the figure below.
Raised alerts can be directly forwarded to a SIEM solution, while containment, eradication, and recovery actions – such as quarantining a device – can be automated with the help of eyeControl.