Security News > 2020 > February > New ransomware targets industrial control systems

New ransomware targets industrial control systems
2020-02-04 13:48

With the ransomware threat is surging unstoppably in the last few years, it was just a matter of time until ICS-specific ransomware became a reality.

"While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static 'kill list' shows a level of intentionality previously absent from ransomware targeting the industrial space," Dragos researchers pointed out.

Analyzed by researchers from the MalwareHunterTeam, SentinelOne and Dragos, the EKANS ransomware presents many characteristics of general-purpose ransomware targeting Windows-based systems: when delivered on target systems, it first checks whether it's already present then, if not, it forcefully stops a long list of processes and then begins executing encryption operations and removes Volume Shadow Copy backups on the victim machine.

"ICS products referenced include numerous references to GE's Proficy data historian, with both client and server processes included. Additional ICS-specific functionality referenced includes GE Fanuc licensing server services and Honeywell's HMIWeb application. Remaining ICS-related items consist of remote monitoring or licensing server instance such as FLEXNet and Sentinel HASP license managers and ThingWorx Industrial Connectivity Suite."

EKANS isn't capable of injecting commands into or manipulating ICS-related processes, so its destructive capabilities are limited to making administrators lose view of what's happening with control systems and on the network.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/RnxPYYVo6xs/