A new type of ransomware, Ekans, has been developed and has been created to specifically target Windows systems used within industrial control systems. Below security expert provides an analysis of this new ransomware.
Ransomware is continuing its evolution to now impact ICS systems and networks and these additional services are programs needed for the ICS system to operate effectively. With the ransomware programmed to kill those services, this presents a new twist to having the systems made unavailable before the encryption process starts.
Knowing that ransomware enters a network via an end user clicking on a phishing link through their email system, it is very important for an ICS environment to be configured so that it is not directly connected to the internet. It’s also crucial to ensure that no email clients operate on these systems. It is best practice to make sure that the critical ICS systems are behind multiple levels of firewalls, thus fully utilizing defense in depth. If the ICS systems sit on a flat network, it exponentially increases the risk of it becoming infected, reducing availability and productivity of products or services and potentially damaging the reputation of the organization.
While focusing on the technology of a product to monitor and detect the malware, it’s critical to consider that organizations should have an engaging and educational security awareness training program to help their operators, employees and executives be aware. They should be educated on current phishing attacks and the steps they need to take to prevent a ransomware attack from launching on their network.
Attacks on ICS that have been used in the past primarily by nation-state actors also serve in the hands of cyber-criminals. The ability to isolate ICS from any attack vector – software, hardware or network – is key to keeping these systems safe. The challenge our customers are facing is is how to comply with these guidelines, without making ICS operators\’ life impractical. This is even more painful when ICS are mobile and have to be carried around by their operators in addition to the PC\’s they use for their other day-to-day chores, such as corporate email and Internet access. We are helping our customers maintain the much needed isolation, while staying productive.
The Ekans ransomware is another unmissable milestone in the world of malware. Targeting Windows systems used within industrial control systems, it shows that the cybercriminals are moving away from the \’spray and pray\’ tactic, instead putting laser focus on organisations that have a critical role in the nation’s infrastructure. This is concerning, as it means attackers are investing more time and resources into breaching the defenses of a few companies, akin to state-sponsored attacks, which makes them more likely to succeed.
While still not overly clear how Ekans is distributed, it’s thought that attackers need to access networks before it can be deployed. As such, combatting this type of malware requires complete visibility into an organization\’s data flow, as well as a trained human firewall that understands how cybercriminals can attempt to manipulate them into downloading files and clicking on links. A few days ago, it was reported that the Emotet trojan was spreading through Japan within emails containing false news about the Coronavirus infecting citizens quickly and the ‘urgent’ steps to take – cyber criminals really will stoop to any level to get into networks. When employees know that any link could result in malware, it may make them stop and think for that split second longer and delete.