1. Home
  2. Software
  3. EKANS

EKANS

EKANS is ransomware variant that first appeared in mid-December 2019. EKANS is distinct from other ransomware as it was written in Golang and aims to stop services and processes related to Industrial Control Systems.[1][2]

ID: S0605
Associated Software: SNAKEHOSE
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 12 February 2021
Last Modified: 13 October 2021

Associated Software Descriptions

Name Description
SNAKEHOSE

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

EKANS uses standard encryption library functions to encrypt files.[1][2]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

EKANS stops processes related to security and management software.[1][3]
Enterprise T1490 Inhibit System Recovery

EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.[1][2]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

EKANS has been disguised as update.exe to appear as a valid executable.[1]
Enterprise T1027 Obfuscated Files or Information

EKANS uses encoded strings in its process kill list.[3]

Enterprise T1057 Process Discovery

EKANS looks for processes from a hard-coded list.[1][3][4]
Enterprise T1489 Service Stop

EKANS stops database, data backup solution, antivirus, and ICS-related processes.[1][3][2]
Enterprise T1016 System Network Configuration Discovery

EKANS can determine the domain of a compromised host.[4]
Enterprise T1047 Windows Management Instrumentation

EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations.[1]

References

  1. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
  2. Hinchliffe, A. Santos, D.. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.
  1. Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.
  2. Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.