This site has been deprecated in favor of and will remain in place until 11/1/22.


From attackics
Revision as of 11:28, 13 April 2021 by Jsteele (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
ID S0017
Type Malware

EKANS is ransomware that was first seen December 2019 and later reported to have impacted operations at Honda automotive production facilities.123 EKANS has a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy historian, Honeywell HMIWeb).3 If the malware discovers these processes on the target system, it will stop, encrypt, and rename the process to prevent the program from restarting. This malware should not be confused with the “Snake” malware associated with the Turla group. The ICS processes documented within the malware’s kill-list is similar to those defined by the MEGACORTEXT software.456

The ransomware was initially reported as “Snake”, however, to avoid confusion with the unrelated Turla APT group security researchers spelled it backwards as EKANS.

Associated Software Descriptions

  • EKANS - 378

Techniques Used

  • Masquerading - EKANS masquerades itself as a valid executable with the filename "update.exe". Many valid programs use the process name "update.exe" to perform background software updates.3
  • Service Stop - Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. 74 EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device.8