Target-specific ransomware can now impact the basic systems that support our daily lives.
Ransomware is a fast-growing threat affecting thousands of government agencies, schools, businesses and municipalities. And while most ransomware takes advantage of known vulnerabilities, ransomware continues to grow smarter by subverting detection technologies and by targeting specific types of organizations. For example, a strain of ransomware dubbed EKANS (backward for “snake”) specifically targets ICS/SCADA
“EKANS aims to stop several processes related to ICS data historian and licensing manager functions, as well as more general processes associated with data storage, transfer and management,” says Joe Slowik, principal adversary hunter for Dragos. He reported on the EKANS ransomware in January before releasing a full evaluation of the malware on February 3.
This malware was designed to scare system operators into paying the ransom, Slowik says. But the processes that EKANS targets aren’t as dangerous as ICS-specific disruptive malware like Industroyer/CrashOverride (used in the cyberattack on the Ukrainian grid in 2015) or Triton/Trisis (used to turn off safety instrumentation at a Saudi petrochemical plant in 2017).
However, ransomware that specifically targets any ICS-related processes is a concerning development.
“EKANS is an evolutionary step from existing MegaCortex examples with limited capability to impact ICS operations beyond the process stop capabilities,” Slowik adds. “This is a dangerous precedent in that it shows unknown entities expanding their willingness to disrupt operations for likely monetary gain to include industrial-specific functions.”
In other words, bad guys are getting deadly serious with their ransomware demands. Who cares about humans who need electricity to support their ventilators and dialysis, refrigerators or even clean drinking water? Hold the energy companies that support human life for ransom. Impacted organizations will be even more inclined pay the ransom, right?
In the case of ICS environments, commonly prescribed advice about secure, off-site backups can protect against loss of data, but not against process interruptions from targeted malware. And using anti-ransomware capability isn’t a silver bullet either. RIPlace ransomware, reported in November 2019, can bypass most ransomware protection features built into security products.
Endpoint security vendor Nyotron, which discovered the RIPlace malware, demonstrates how this strain of ransomware can overcome anti-malware by creating an error that causes the driver to skip the rename request handling logic (often used by ransomware to take over the file). This fault renders security blind to the file path that is being replaced.
Where to Turn
Ultimately, prevention is a matter of good system and network hygiene, and education of users who click links or attachments.
The United States Computer Emergency Readiness Team (US-CERT) offers strong advice around backups and training. US-CERT also identifies specific prevention methods (e.g., patch and update, using caution with links and attachments, verifying senders and changing passwords once an infection is detected).
NIST provides guidance around detecting and recovering from ransomware, including an architecture for integrity mechanisms all the way down to the firmware layer, along with network baselining and monitoring, logging, analysis, reporting and forensics.
And Nyotron is building a tool to test if your ransomware protection is susceptible to RIPlace-like manipulation, but that tool isn’t available yet.