Drives and Controls Magazine
Home
Menu
Ransomware targets industrial control systems
Published:  10 February, 2020

Researchers at the cyber-security firm Dragos have discovered a new form of ransomware that they think is the first to specifically target industrial controls systems (ICSs). Called Ekans, the malware is designed to terminate certain ICS processes, shutting them down until a ransom is paid.

In a blog examining Ekans, Dragos says that it represents a “deeply concerning” evolution in ICS-targeting malware. “Whereas previously ICS-specific or ICS-related malware was solely the playground of state-sponsored entities," it says, "Ekans appears to indicate non-state elements pursuing financial gain are now involved in this space as well, even if only at a very primitive level.”

Ransomware has affected ICS environments before, but this was in the form of IT-focused malware that spread into control environments via enterprise systems. The new malware has been designed specifically to target Windows-based ICS software and includes references to GE’s Proficy data historian, Honeywell’s HMIWeb application and PTC’s ThingWorx connectivity suite, among others.

The malware is designed to terminate 64 different software processes. It simply stops them and cannot inject commands or manipulate the ICS processes in other ways, but it could result in a loss-of-view on networks, according to Dragos. After files have been encrypted, they are renamed by appending five random characters to the original file extension. Ekans then places a ransom note in the root of the system drive and on the desktop.

Unlike some more disruptive forms of ransomware, Ekans does not reboot or shut down a system, or close remote access channels. It has no built-in propagation or spreading mechanism; instead, it must be launched interactively or via a script to infect a host.

Dragos says that the level of impact that Ekans may have on industrial environments is unclear. But it points out that targeting historian and data-gathering processes at both the client and server levels imposes significant costs on an organisation and could disrupt monitoring functions.

The impacts of server and HMI process termination are less clear. The malware affects mechanisms that check whether a customer has paid for their software licences. Other processes may enable fallbacks or “grace periods” for licensing servers, allowing operations to continue for some time without a license management system.

Nevertheless, the uncertainty is “unacceptable”, say the researchers, given the risk of producing inadvertent loss-of-control. As a result, they warn, Ekans (and its presumed parent, called Megacortex) “represent a unique and specific risk to industrial operations not previously observed in ransomware operations”.

While some organisations will be able to revert to manual operations in an emergency, the costs and inefficiencies of doing so are substantial. Ekans and its parent therefore “present specific and unique risks and cost-imposition scenarios for industrial environments”, according to the Dragos researchers.

After encrypting control system files, the Ekans malware issues a ransom note

There have been suggestions that Ekans may have originated in Iran, but the researchers say that any such link is “incredibly tenuous”, adding that “no strong or compelling evidence exists to link Ekans with Iranian strategic interests”.

At present, Dragos does not know how Ekans distributes itself within victim networks. It adds that the primary defence against such ransomware is to prevent it from reaching or spreading through a network in the first place. In their blog, the researchers suggest various techniques for minimising the risks of Ekans infiltrating ICSs.

They conclude that because the Ekans implementation is “extremely primitive” with an indeterminate effect on industrial operations, it is “more of a novelty than a discrete and worrying risk”.

Despite its limited functions, Ekans represents a “deeply concerning” evolution of cyber-threats that target control systems. And unlike previous ICS-targeting malware which was blamed on state-sponsored organisations, Ekans appears to show that criminals seeking financial gain are now involved as well.

The researchers warn that it is incumbent on ICS owners and operators to learn lessons not only from how Ekans functions, but also from the many ways in which malicious software can propagate and be distributed in control systems, and to draw up suitable defence strategies.