Over the past few months, manufacturers around the globe shut down offices and plants in accordance with lockdown measures due to the COVID-19 pandemic. The recent ransomware attack that impacted Enel’s internal network highlights that critical infrastructure is incredibly vulnerable to ransomware attack because there is often no other choice but to pay the ransom in order to continue providing a vital service. Fortunately Enel was able to limit the spread of malware, however future enterprises may not be so lucky. One of the things that sets the EKANS malware, which was reportedly used in the Enel ransomware attack, apart is a relatively high amount of manual effort/targeting typically involved in the operator placement activity, which can sometimes enable them to have a bigger impact on the victims. The same malware was recently used on a ransomware attack against car manufacturer Honda. With some of the recent attacks observed, it appears that the malicious threat actors are expanding the list of targets to manufacturing and critical infrastructure. While the attack behaviors used by the malicious ransomware payload itself are fairly trivial, the Golang-based payload encryption process, and also the list of processes that are terminated to maximise the ability of the ransomware to encrypt sensitive data and impact the targets appear to be longer that some of the other ransomware instances observed, and some of the past instances of the malware family also included impacting processes from the ICS/SCADA/OT environments, which is uncommon for ransomware.  Read Less

First public mentions of EKANS ransomware date back to January 2020, with security researcher Vitali Kremez sharing information about a new targeted ransomware written in GOLANG. The group appears to have a special interest for Industrial Control Systems (ICS), as detailed in this blog post by security firm Dragos. On June 8, a researcher shared samples of ransomware that supposedly was aimed at Honda and ENEL INT. When we started looking at the code, we found several artefacts that corroborate this possibility. Both companies had some machines with Remote Desktop Protocol (RDP) access publicly exposed. RDP attacks are one of the main entry points when it comes to targeted ransomware opertaions. However, we cannot say conclusively that this is how threat actors may have gotten in. Ultimately, only a proper internal investigation will be able to determine exactly how the attackers were able to compromise the affected networks. Ransomware gangs have shown no mercy, even in this period of dealing with a pandemic. They continue to target big companies in order to extort large sums of money. RDP has been called out as some of the lowest hanging fruit preferred by attackers. However, we also recently learned about a new SMB vulnerability allowing remote execution. It is important for defenders to properly map out all assets, patch them, and never allow them to be publicly exposed.  Read Less