Software: EKANS, SNAKEHOSE
EKANS is ransomware that was first seen December 2019 and later reported to have impacted operations at Honda automotive production facilities.123 EKANS has a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy historian, Honeywell HMIWeb).3 If the malware discovers these processes on the target system, it will stop, encrypt, and rename the process to prevent the program from restarting. This malware should not be confused with the “Snake” malware associated with the Turla group. The ICS processes documented within the malware’s kill-list is similar to those defined by the MEGACORTEXT software.456
The ransomware was initially reported as “Snake”, however, to avoid confusion with the unrelated Turla APT group security researchers spelled it backwards as EKANS.
Associated Software Descriptions
- Masquerading - EKANS masquerades itself as a valid executable with the filename "update.exe". Many valid programs use the process name "update.exe" to perform background software updates.3
- Service Stop - Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. 74 EKANS also utilizes
netshcommands to implement firewall rules that blocks any remote communication with the device.8
- Network Connection Enumeration - EKANS performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system.8
- Loss of Productivity and Revenue - EKANS infection resulted in a temporary production loss within a Honda manufacturing plant.1
- Davey Winder. (2020, June 10). Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations. Retrieved April 12, 2021.
- MalwareBytes. (2020, June 09). Honda and Enel impacted by cyber attack suspected to be ransomware. Retrieved April 12, 2021.
- Dragos Threat Intelligence. (2020, February 03). EKANS Ransomware and ICS Operations. Retrieved April 12, 2021.
- Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt. (2020, July 15). Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families. Retrieved April 12, 2021.
- Joe Slowik. (2020, January 28). Getting the Story Right, and Why It Matters. Retrieved April 12, 2021.
- Joe Slowik. (2020, June 18). EKANS Ransomware Misconceptions and Misunderstandings. Retrieved April 12, 2021.
- Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly. (2020, July 15). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved April 12, 2021.
- Ben Hunter and Fred Gutierrez. (2020, July 01). EKANS Ransomware Targeting OT ICS Systems. Retrieved April 12, 2021.