Security News

EKANS also uses another trick to ratchet up the pain: It's designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. That allows it to then encrypt the data that those control system programs interact with.

Australian transportation and logistics firm Toll Group has confirmed that it sustained a ransomware attack earlier this month that forced to company to shut down several systems and led to delays in deliveries across the country. While Toll Group continues to recover from the ransomware attack that started Jan. 31, the firm has now deliberately shut down several systems, including customer-facing applications, as a precautionary measure to ensure that the malware does not spread, according to a statement released Tuesday.

Ekans, a recently discovered ransomware variant that's designed to target industrial control systems, appears to have some of the same characteristics found in Megacortex, malware that struck several high-profile targets in 2019, according to the security firm Dragos. It's also not clear whether the developers behind Eknas plan to target a region or specific organizations that use industrial controls systems, such as oil and gas firms, electric utilities or manufacturing facilities, according to the Dragos report.

Spray-and-pray tactics that once had malware attack numbers soaring have since been abandoned for more targeted and evasive methods aimed at weaker victims. While total ransomware volume dipped 9% for the year, highly targeted attacks left many state, provincial and local governments paralyzed and took down email communications, websites, telephone lines and even dispatch services.

Australian transportation and logistics giant Toll Group said a ransomware attack is to blame for several key services being debilitated and delivery operations being delayed over the past week. In the aftermath of the company first being hit by the ransomware attack on Friday, customers were reporting an impact on operations across Australia, India and the Philippines.

"If the organization still doesn't pay, the remaining data is published, sometimes on a staggered basis. The group has also published data in Russian hacker forums with a note to 'use this information in any nefarious ways that you want.' In other words, it's highly likely that more of the firms' data will be published unless they pay." Threatening to dump exfiltrated data is merely the latest in a long line of ransomware gang innovations, which took a major leap forward four years ago, with a watershed, targeted attack against Hollywood Presbyterian Medical Center by the SamSam gang, says security researcher Vitali Kremez, who heads SentinelLabs for security firm SentinelOne.

With the ransomware threat is surging unstoppably in the last few years, it was just a matter of time until ICS-specific ransomware became a reality. "While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static 'kill list' shows a level of intentionality previously absent from ransomware targeting the industrial space," Dragos researchers pointed out.

A further education college in east Scotland has been struck by what its principal described as a cyber "Bomb" in an apparent ransomware attack so bad that students have been told to stay away and reset passwords en masse. Dundee and Angus College told students not to turn up after the ransomware seemingly downed the entire institution's IT systems.

Australian transportation and logistics giant Toll Group was forced to shut down some of its online services in response to a ransomware attack and customers are not happy with the way the company has handled the incident. A notice posted on the Toll website to inform customers about the incident promised regular updates, but many were displeased with the fact that the first update came only several days later.

"We are more interested in ransomware that models behavior that we saw in the WannaCry attacks, where ransomware can exploit a vulnerability and propagate across a network," Ekstrom, who helped work on the documents, tells Information Security Media Group. One significant reason why NIST created these practice guidelines now is that the nature of ransomware has changed over the last two years, Ekstrom says.