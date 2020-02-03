Only a few times in the history of hacking has a piece of malicious code been discovered that tries to directly interfere with industrial operating systems, the computers that bridge the gap between digital and physical systems. Those rare copies of malware have destroyed nuclear enrichment centrifuges in Iran and caused a blackout in Ukraine. Now a malware example has surfaced that uses specific knowledge of operating systems to target them with a much blunter and more familiar tactic: kill the software processes of the target, encrypt the underlying data and keep it hostage.

In the past month, researchers from security companies, including Sentinel One and Dragos, have been surprised at a piece of code called Snake or EKANS, which they now think is specifically designed for industrial operating systems, the software and hardware used in everything from oil refineries to power networks to production facilities. Like other ransomware, EKANS encrypts data and displays a message to victims who want to release the payment; the name comes from a string that it plans as a file marker on a victim computer to indicate that its files are already encrypted.

“These industrial control systems are some of the most valuable goals.”

Vitali Kremez, Sentinel One

But EKANS also uses another trick to ease the pain: it is designed to end 64 different software processes on victims’ computers, including many specific to industrial operating systems. As a result, it can then encrypt the data with which those operating system programs communicate. Although coarse compared to other malware specially built for industrial sabotage, targeting can still break the software used to monitor infrastructure, such as the pipelines of an oil company or the robots of a factory. This can have potentially dangerous consequences, such as preventing remote control or operation of the equipment.

EKANS is actually the second ransomware that affects industrial operating systems. According to Dragos, another ransomware type known as Megacortex, which first appeared in the spring, included all the same functions for killing processes in the industrial operating system and could in fact be a precursor to EKANS developed by the same hackers. But because Megacortex has also terminated hundreds of other processes, the functions on the industrial operating system have largely been overlooked.

It is not yet clear whether the responsibility for industrially targeted ransomware lies with government-sponsored hackers – who want to cause disruptions and make their mark with a ransomware list – or actual cyber criminals who want to make a profit. But Vitali Kremez, a researcher at Sentinel One, who first published the discovery of EKANS earlier this month, along with a group of researchers known as the Malware Hunter Team, claims that industrial control systems are natural targets for ransomware attackers. Just like hospitals and governments, they have a disproportionate amount to lose when they go offline.

Industrial companies have certainly been hit in the past with the very latest Windows-focused ransomware, such as the disastrous cyber attack on Norwegian aluminum company Hydro Norsk last year. But EKANS and Megacortex go one step further, in the technical guts of industrial control systems. Among the dozens of processes that it ends are those used by GE’s Proficy software – a “data historian” program that maintains records of operational information in industrial settings – as well as the mechanism that controls a paid license from a customer for GE’s Fanuc automation software, Thingworx monitoring and management software and a control interface program sold by Honeywell.

“By turning off this functionality, you don’t necessarily have to stop the plant, but you reduce the visibility and understanding of the victim for their environment,” says Joe Slowik, a researcher who analyzed EKANS and Megacortex malware for ICS security company Dragos. But Slowik also notes that it is not easy to predict how GE’s Fanuc software will deal with a disruption of its license controls, which depend on the industry and specific customer settings. If the automation software is configured in such a way that it cannot function without a license, this can lead to more serious consequences. “If killing the license server means that operators can no longer operate certain machines, this can cause a loss of control that can become dangerous,” says Slowik.

EKANS could indicate that industrial hack tactics are spreading to ordinary criminals.

Sentinel One says that the list of EKANS victims probably contains Bapco, the national oil company of Bahrain. The security company received a copy of the EKANS malware from a customer in the Middle East, who had obtained it from the infected network of another organization in Bahrain, says Kremez of Sentinel One. And at least one version of the ransom message displayed by the malware asks the victims to send an email to the blackmailers at [email protected] (Bapco did not respond to WIRED’s request to comment.) But Dragos Slowos points out that Fanuc automation software that EKANS focuses on is generally used to manage equipment in production facilities, not oil companies. “This means that there are other victims,” ​​says Slowik.

