Encrypt or Be Encrypted: Mysterious Ransomware Attacks OT

A second bit of ransomware code designed to target industrial control systems has emerged. Similar to the Megacortex malware that hit last year, it enters through an email attachment and holds victims hostage until they pay a hefty fee in BitCoin. Called EKANS (snake spelled backward) or just SNAKE, it targets OT software processes, encrypts the underlying data and holds that hostage. But unlike most other OT related malware, which is designed to disrupt processes, often for political purposes, EKANS seems more about extorting payment.

Wired magazine reports that EKANS is targeted specifically at industrial control systems and is designed to terminate 64 different software processes on victims’ computers, including many that are specific to industrial control systems. It then encrypts the data with which the control systems interact.

“While crude compared to other malware purpose-built for industrial sabotage, that targeting can nonetheless break the software used to monitor infrastructure, like an oil firm’s pipelines or a factory’s robots. That could have potentially dangerous consequences, like preventing staff from remotely monitoring or controlling the equipment’s operation,” writes Wired author Andy Greenberg.

According to industrial cybersecurity firm Dragos, which analyzes malware and adversary activities and generates threat analyses, since Vitali Kremez and the MalwareHunter team brought EKANS to light earlier this year at least three companies have been hit. The Fresenius Group health care, Honda automotive and Enel Group energy have experienced “attempted intrusions, if not outright disruption” related to EKANS ransomware. And ISSSource.com reports this month that Brown-Forman Corp, maker of Jack Daniels and Finlandia, was hit by EKANS but managed to fight it off.

Protecting yourself

The articles referenced above close with some tips for how you can avoid becoming a victim of industrial ransomware, including having a robust disaster recovery and business continuity strategy that includes multiple backups, ensuring that the latest vendor patches and bug fixes are applied, keeping anti-virus software up-to-date, enforcing rigid policies regarding downloading and attachments and contacting authorities before paying the ransom.

Of course, the best way is to avoid ransomware attacks on process data is to make it all but impossible for hackers to access that data. If cyber security is properly integrated into the electronics of your industrial control systems, it would run complex authentication routines to validate any process trying to access them. And in the rare event that it gets past that, it should find that operational data already is heavily encrypted in ways well beyond the capacity of even the most powerful computational powers available today.

For more information on the benefits of built-in cyber security download our white paper: Intrinsic Cyber Security Fundamentals here.