Login

Register

Login

Register

#cybersecurity | hacker | Report ties Ekans/Snake ransomware to Megacortex, stresses ICS threat


A new threat intelligence report has underscored the serious threat posed by the recently discovered Snake ransomware, which not only encrypts files, but can disrupt certain industrial controls systems processes.

ICS security firm Dragos issued the blog post report yesterday after initially sharing it privately with its clientele back in mid-January. Dragos refers to ransomware as Ekans (Snake backwards), and said its team first observed the threat on Jan. 6, although the MalwareHunterTeam had been previously credited with its discovery.

Although the Go-language program is rather primitive and limited in functionality, it nonetheless “represents a relatively new and deeply concerning evolution in ICS-targeting malware,” said Dragos in its post. “Whereas previously ICS-specific or ICS-related malware was solely the playground of state-sponsored entities, Ekans appears to indicate non-state elements pursuing financial gain are now involved in this space as well…”

As it encrypts files, the ransomware appends a random five-character string to the extension, and then within each file it appends the file marker “EKANS” (hence the name Snake or Ekans). It also removes shadow copies and sends the victim a ransom note with an email address to contact. But in an unusual twist, it also kills pertained named process related to ICS solutions and SCADA systems, among other processes, which means OT environments are also at risk.

Dragos names the various systems whose processes are targeted by Ekans, including GW’s Proficy data historian, GE Fanuc licensing server services, Honeywell’s HMIWeb application, the FLEXNet and Sentinel HASP license managers, and ThingWorx Industrial Connectivity Suite. Other targets processes correspond to virtual machines, remote management tools and other solutions.

“…[W]hile ransomware has previously victimized ICS environments, prior events all feature IT-focused ransomware that spreads into control system environments by way of enterprise mechanisms. Otherwise, ICS-specific ransomware has mostly included either academic proof of concepts or marketing stunts representing the corpus of activity.”

Dragos also says it has discovered a connection between Ekans and Megacortex ransomware, which first surfaced in January 2019 and emerged as a major threat. According to the report, a newer variant of Megacortex that debuted in mid-2019 (detailed by Accenture) demonstrates similar process kill activity and also references specific ICS processes.

While Ekans targets only 64 processes, the variant of Megacortex alludes to over 1,000 total items, many related to security solutions. This includes all the ones Ekans targets, which suggests Ekans is a variant based on prior Megacortex activity,” Dragos concludes.

In its report, Dragos asserts that any industry speculation that Ekans is linked to Iranian hacker activity is incredibly tenuous based upon available evidence. The company also suggests a serious of mitigations to limit risk of an Ekans infection.



Original Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW