Only a few times in the history of hacking has a piece of malicious code been spotted attempting to meddle directly with industrial control systems, the computers that bridge the gap between digital and physical systems. Those rare specimens of malware have destroyed nuclear enrichment centrifuges in Iran and caused a blackout in Ukraine. Now, a malware sample has surfaced that uses specific knowledge of control systems to target them with a far blunter, and more familiar, tactic: Kill the target’s software processes, encrypt the underlying data, and hold it hostage.
Over the last month, researchers at security firms including Sentinel One and Dragos have puzzled over a piece of code called Snake or EKANS, which they now believe is specifically designed to target industrial control systems, the software and hardware used in everything from oil refineries to power grids to manufacturing facilities. Much like other ransomware, EKANS encrypts data and displays a note to victims demanding payment to release it; the name comes from a string it plants as a file marker on a victim computer to identify that its files have already been encrypted.
But EKANS also uses another trick to ratchet up the pain: It’s designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. That allows it to then encrypt the data that those control system programs interact with. While crude compared to other malware purpose-built for industrial sabotage, that targeting can nonetheless break the software used to monitor infrastructure, like an oil firm’s pipelines or a factory’s robots. That could have potentially dangerous consequences, like preventing staff from remotely monitoring or controlling the equipment’s operation.
EKANS is actually the second ransomware to hit industrial control systems. According to Dragos, another ransomware strain known as Megacortex that first appeared last spring included all of the same industrial control system process-killing features, and may in fact be a predecessor to EKANS developed by the same hackers. But because Megacortex also terminated hundreds of other processes, its industrial-control-system targeted features went largely overlooked.
It’s not yet clear if responsibility for the industrial-targeted ransomware lies with state-sponsored hackers—seeking to create disruption and cover their tracks with a ransomware ruse—or actual cybercriminals seeking to make a profit. But Vitali Kremez, a researcher at Sentinel One who first publicized the discovery of EKANS earlier this month along with a group of researchers known as Malware Hunter Team, argues that industrial control systems make natural targets for ransomware attackers. Like hospitals and governments, they have a disproportionate amount to lose if they go offline.
“These industrial control system machines are some of the most high-value targets,” says Kremez. “There’s lots of urgency, and data availability is at the core of the mission. So there’s a lot of incentive to pay the attackers.”
Industrial firms have certainly been hit with run-of-the-mill Windows-focused ransomware in the past, such as the disastrous cyberattack on Norwegian aluminum firm Hydro Norsk last year. But EKANS and Megacortex go a step further, into the technical guts of industrial control systems. Among the dozens of processes it terminates are those used by GE’s Proficy software—a “data historian” program that keeps records of operational information in industrial settings—as well as the mechanism that checks for a customer’s paid license for GE’s Fanuc automation software, the monitoring and management software Thingworx, and a control interface program sold by Honeywell.
“By virtue of taking out this functionality, you won’t necessarily cause the plant to come to a screeching halt, but you’ll decrease the victim’s visibility and understanding of their environment,” says Joe Slowik, a researcher who analyzed the EKANS and Megacortex malware for ICS security firm Dragos. But Slowik also notes that it’s not easy to predict how GE’s Fanuc software handles a disruption of its licensing checks, which depend on the industry and specific customer setup. If the automation software is configured such that it can’t function without a license, that could lead to more serious consequences. “If killing the licensing server results in operators no longer being able to operate certain machines, that could produce a loss-of-control situation that could become dangerous,” Slowik says.
Sentinel One says the list of EKANS victims likely includes Bapco, Bahrain’s national oil company. The security firm received a copy of the EKANS malware from a customer in the Middle East, who had obtained it from another organization’s infected network in Bahrain, Sentinel One’s Kremez says. And at least one version of the ransom message displayed by the malware asks victims to email the extortionists at the address email@example.com. (Bapco didn’t respond to WIRED’s request for comment.) But Dragos’ Slowik points out that Fanuc automation software targeted by EKANS is typically used to manage equipment in manufacturing facilities, not oil firms. “This implies there are other victims out there,” Slowik says.