Over the past five years, ransomware has emerged as a vexing menace that has shut down factories, hospitals, and local municipalities and school districts around the world. In recent months, researchers have caught ransomware doing something that's potentially more sinister: intentionally tampering with industrial control systems that dams, electric grids, and gas refineries rely on to keep equipment running safely.
A ransomware strain discovered last month and dubbed Ekans contains the usual routines for disabling data backups and mass-encrypting files on infected systems. But researchers at security firm Dragos found something else that has the potential to be more disruptive: code that actively seeks out and forcibly stops applications used in industrial control systems, which is usually abbreviated as ICS. Before starting file-encryption operations, the ransomware kills processes listed by process name in a hard-coded list within the encoded strings of the malware.
In all, Ekans kills 64 processes, including those spawned by human-machine interfaces from Honeywell, the Proficy Historian from General Electric, and licensing servers from GE Fanuc. The same 64 processes, it turns out, are targeted in a version of the MegaCortex ransomware. That version first came to light in August.
By ceasing operations at hospitals, factories, and other mission-critical environments, ransomware has always represented a threat to safety. But the resulting damage remained largely contained to IT systems inside targeted networks. Unless the ransomware made an unexpected jump to ICS networks—which are usually segregated and better fortified—the likelihood of disrupting sensitive industrial systems seemed remote. In a post published on Monday, Dragos researchers wrote:
Ekans (and apparently some versions of MegaCortex) shift this narrative as ICS-specific functionality is directly referenced within the malware. While some of these processes may reside in typical enterprise IT networks, such as Proficy servers or Microsoft SQL servers, inclusion of HMI software, historian clients, and additional items indicates some minimal, albeit crude, awareness of control system environment processes and functionality.
Monday's report described Ekans's ICS targeting as minimal and crude because the malware simply kills various processes created by widely used ICS programs. That's a key differentiator from ICS-targeting malware discovered over the past few years with the ability to do much more serious damage. One example is Industroyer, the sophisticated malware that caused a power outage in Ukraine in December 2016 in a deliberate and well-executed attempt to leave households without electricity in one the country's coldest months.
Another example is Trisis (aka Triton), which deliberately tampered with systems that were designed to prevent health- and life-threatening accidents inside a critical infrastructure facility in the Middle East. Other examples include the Stuxnet worm that targeted Iran's nuclear program a decade ago, the BlackEnergy malware used to create a regional blackout in Ukraine in December 2015 (a year before the Industroyer incident), and espionage malware known as Havex, which targeted 2,000 industrial sites with code that mapped out industrial equipment and devices.
Industroyer, Trisis, and the other examples contained code that surgically and painstakingly tampered with, mapped, or dRead More – Source