EKANS Ransomware and ICS Operations | Dragos
EKANS ransomware emerged in mid-December 2019, and Dragos published a private report to Dragos WorldView Threat Intelligence customers early January 2020. While relatively straightforward as a ransomware sample in terms of encrypting files and displaying a ransom note, EKANS featured additional functionality to forcibly stop a number of processes, including multiple items related to ICS operations.
In response to reports that cyber criminals are launching ransomware attacks that are specifically targeting industrial control systems, an expert from KnowBe4 offers perspective.
James McQuiggan, Security Awareness Advocate, KnowBe4
“Ransomware is continuing its evolution to now impact ICS systems and networks and these additional services are programs needed for the ICS system to operate effectively. With the ransomware programmed to kill those services, this presents a new twist to having the systems made unavailable before the encryption process starts.
Knowing that ransomware enters a network via an end user clicking on a phishing link through their email system, it is very important for an ICS environment to be configured so that it is not directly connected to the internet. It’s also crucial to ensure that no email clients operate on these systems. It is best practice to make sure that the critical ICS systems are behind multiple levels of firewalls, thus fully utilizing defense in depth. If the ICS systems sit on a flat network, it exponentially increases the risk of it becoming infected, reducing availability and productivity of products or services and potentially damaging the reputation of the organization.
While focusing on the technology of a product to monitor and detect the malware, it’s critical to consider that organizations should have an engaging and educational security awareness training program to help their operators, employees and executives be aware. They should be educated on current phishing attacks and the steps they need to take to prevent a ransomware attack from launching on their network”