Software: EKANS, SNAKEHOSE

From attackics
Jump to navigation Jump to search
EKANS, SNAKEHOSE
Software
ID S0017
Aliases EKANS, SNAKEHOSE
Type Malware

EKANS is ransomware that was first seen December 2019 and later reported to have impacted operations at Honda automotive production facilities.123 EKANS has a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy historian, Honeywell HMIWeb).3 If the malware discovers these processes on the target system, it will stop, encrypt, and rename the process to prevent the program from restarting. This malware should not be confused with the “Snake” malware associated with the Turla group. The ICS processes documented within the malware’s kill-list is similar to those defined by the MEGACORTEXT software.456

The ransomware was initially reported as “Snake”, however, to avoid confusion with the unrelated Turla APT group security researchers spelled it backwards as EKANS.

Associated Software Descriptions

  • EKANS - 378
  • SNAKEHOSE - 7

Techniques Used

  • Masquerading - EKANS masquerades itself as a valid executable with the filename "update.exe". Many valid programs use the process name "update.exe" to perform background software updates.3
  • Service Stop - Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. 74 EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device.8