top of page
Search
devalethoworna

New Ransomware Ekans – Expert Analysis of How It Differs from Other Malware Strains



NIST provides guidance around detecting and recovering from ransomware, including an architecture for integrity mechanisms all the way down to the firmware layer, along with network baselining and monitoring, logging, analysis, reporting and forensics.


Honda, the Japanese car manufacturer reported hackers are breaking into their networks. The cyber-attacks in its base have interrupted some of its operations as well as outside Japan. Honda production plants in Ohio and Turkey went offline Tuesday, June 9 after a cyber-attack compromised several facilities of the Japanese automaker. While experts on cybersecurity claim a ransomware-attack is most likely to blame, it's uncertain whether the attack targeted information technology systems or the industrial control systems themselves.




New Ransomware Ekans – Expert Analysis



Some cybersecurity experts have said that the Ekans ransomware (shown in figure 1) has compromised the servers. Ekans Ransomware is designed to infect networks of industrial control systems. The organization even sent its employees home early, which means the workflow was arrested for sure.


After studying the EKANS Ransomware, cybersecurity experts have found that this Trojan is rather similar to a ransomware threat deployed in 2019 dubbed Megacortex. The Megacortex threat is believed to originate from the United Kingdom as its creators had referenced various stores located in the city of Sunderland. Going even further into the rabbit hole, the Megacortex malware is likely linked to another threat called Reitspoof that was being propagated via spam messages on Skype in 2019. However, some malware researchers suspect that this may be a complex operation carried out by a state-sponsored hacking group, and the links to the previously mentioned threats might have been placed on purpose to mislead analysts.


Cybersecurity experts all agree that ransomware attacks are only going to accelerate and could represent an increased threat to IoT devices in 2020 and beyond. The recent headline making cyber-attack at Honda illustrates this alarming trend. Why?


In a comparison of malware samples targeting Honda and Enel posted online, Malwarebytes Labs found that the incidents may be tied to the EKANS/SNAKE ransomware family. EKANS includes not only traditional file encryption and ransomware note features, but also additional functionality that forcibly stops ICS-related (industrial control system) operational processes, according to a Dragos analysis. That could explain why this particular type of ransomware targeted both manufacturing and energy plants (Honda and Edesur).


By integrating automated threat detection, correlation, analysis, hunting, response and remediation all in one platform, you can ease the burden on your limited IT or security staff, while detecting any indications of ransomware early enough to contain its impact on your company.


Specifically concerning execution and impact of ransomware binaries themselves, from the simplified tests we performed here, it appears that there is likely a great deal of data available for potential analysis and detection/alerting within East-West network exchanges, and also within the endpoint computing devices themselves...


X-Force analysis of public breach data indicates that ransomware-related data leaks made up 36 percent of public breaches in 2020. Last year, thirty-three percent of the attacks on government organizations were ransomware attacks, with nearly 50 percent of ransomware attacks that X-Force observed on government entities in 2020 from Sodinokibi threat actors.


Sodinokibi is a complex ransomware strain with many different features that the group continues to add to all the time. This latest version added the new SafeMode feature which is a smart way to bypass AV. There is definitely a lot to write about when it comes to this ransomware, and unfortunately, I could not cover it all in a single post. If you have any questions or comments about this analysis, feel free to reach out to me on my Twitter or LinkedIn.


On 8 June 2020, security researcher Vitali Kremez reported that two new samples of the Ekans ransomware have been uploaded to VirusTotal. Based on strings inside the malware samples, it was suspected that Honda Motor Company, Ltd and a subsidiary of Enel Group were the victims. It was later confirmed by Honda and Edesur, the affected subsidiary of Enel Group. The malware was first reported publicly in January 2020 and has been used by the threat actor since mid-December 2019. What makes the ransomware different from other strains is that it is being used to target manufacturers and ICS companies.Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486Tags: ekans, snake, ransomware


Researchers said that obfuscated malware written in Go is rare, but has been seen before. The ransomware strain called EKANS, which is an ransomware variant written in Golang, was previously uncovered using the same obfuscation method as Blackrota, for instance. Researchers warned that these new types of malware will create a headache for security defenders moving forward when it comes to analysis and detection.


The emergence of new strains has slowed down, but ransomware has gone nuclear and is getting much more sophisticated. In the early days, hackers mostly targeted consumers, and it would encrypt immediately upon executing. Later on, ransomware gangs realized they would make a lot more money targeting businesses. At first they would spread like a worm through organizations, collecting credentials and encrypting files along the way. Threat actors are now a lot more intelligent in their approach. Once they've gotten in, the malware 'dials home' so that the hacker can do a full analysis on which data is most valuable to their victim, how much they can realistically ask for, and what can they encrypt that will get them a payday sooner.


July 2017 - F-Secure labs uncovered chat sessions in which a ransomware support agent claimed they were hired by a corporation for targeted operations. Later analysis/metadata research confirmed that this tactic was used with another variant, and the follow-up attack targeted IP lawyers that was seemingly aimed at disrupting their business operations.


A new ransomware-as-a-service dubbed GandCrab showed up mid-month. This is the most prominent ransomware of 2018, infecting approximately 50,000 computers, most of them in Europe, in less than a month asking each victim for ransoms between $400 and $700,000 in DASH cryptocurrency. Yaniv Balmas, a security researcher at Check Point compares GandCrab to the notorious Cerber family, and the expert also added that GandCrab authors are adopting a full fledged agile software development approach, the first time in ransomware history. More technical details at the Security Affairs blog.


A new threat intelligence report on doxxing, researched by cybersecurity experts at Kivu, reveals that the majority of attacks occur in the U.S., with companies in the consumer sector being more likely to fall victim to such an attack. Kivu analyzed the geographic and industry-based metrics of over 140 ransomware victims who were doxxed between February 1, 2020 and May 1, 2020. During this period, Kivu found that 55 percent of victims were based in the US, which is a stark departure from several 2019 reports that stated ransomware affects other regions of the world more frequently.


This training is a unique opportunity for established reverse engineers, security researchers and malware analysts seeking toupgrade their skills, to join Kaspersky GReAT experts in real-time full-scale analysis of malware samples recently used in the wild.Participants will be guided by our researchers during the whole training and will follow them step-by-step in a dedicated virtuallab.


On the second day, the training participants will dive into a Golang malware sample analysis with Igor Kuznetsov. They will startwith a quick overview of a typical Golang binary by analyzing a go-socks5-based proxy, widely used by both red teamprofessionals and malicious actors. Then, trainees will practice automating string decryption by analyzing and processing asample of Snake (EKANS) ransomware that was used in targeted attacks against industrial companies.


Igor specializes in investigating malware campaigns and reverse engineering advanced malware. His areas of expertise includecyber-espionage and highly-targeted attacks, advanced threat actors and APTs; cyber-warfare, cyber-weapons such as Stuxnet,Duqu, Flame, Gauss; ATM security.Igor regularly provides training sessions on advanced malware analysis.


As the ongoing COVID-19 pandemic continues to place unprecedented strain on global healthcare infrastructure, attackers are finding what was already an attractive target even more enticing. This unfortunate scenario has greatly expanded the attack surface for these malicious parties with the introduction of greater demand for remote services like telehealth, COVID-19 contact tracing app data, demand from medical manufacturing companies, and a race for medical research facilities to find a cure. An analysis of publicly disclosed breach data by the Tenable Security Response Team (SRT) reveals 237 breaches in the healthcare sector in the calendar year 2020. And the activity looks set to continue unabated in 2021, with 56 breaches already disclosed as of February 28. One finding is clear: ransomware attacks are not going away anytime soon. 2ff7e9595c


2 views0 comments

Recent Posts

See All

Comments


bottom of page