Ekans ransomware: features and operation

Posted date 20/08/2020
Autor
INCIBE (INCIBE)
Ekans ransomware: features and operation

Similar to what was discussed in the previous blog entries on Sodinokibi (part 1 y part 2) and NetWalker ransomware, this type of cyberthreat has positioned itself in first place in terms of its importance to individual users and organizations, with particular emphasis on the substantial economic gain obtained from this practice, once the victim agrees to pay the ransom, as well as the reputational damage it can cause.

Features

Ekans ransomware, initially known as Snake (not to be confused with a different malware that also used this pseudonym: Turla APT: espionage malware, APT attack against the Swiss defense contractor RUAG, The Turla group attacks again and Turla group activity report prepared by NSA and NCSC), is a variant discovered in December 2019 that specializes in attacking industrial environments and other environments where Industrial Control Systems (ICS) are deployed. This causes the shutdown of production plants in those infected industrial environments, or others that have devices belonging to this industrial area deployed for their operation.

Because of its design and performance characteristics, different analysts consider it an improved development of another well-known ransomware, called Megacortex, also designed to attack ICS environments.

Ekans, which INCIBE-CERT has already reported on in the form of ICS warning and cybersecurity highlight, has been developed using the GoLang programming language. This is not commonly used for the developing harmful code, but recently has been used more by attackers, especially in the RaaS (Ransomware as a Service) model, although this is not the case with Ekans.

This ransomware, unlike other variants, locally has all the necessary resources to carry out data hijacking, so it doesn’t need to connect to the outside to obtain configurations, keys or other data for its operation.

Operation

Diagram of Ekans operation

- Figure 1. Diagram of Ekans operation. -

Propagation vectors

Analyses published on different samples of this malware that have been acquired from confirmed cyberattacks show a very similar pattern of propagation and operation, with customized variations in the case of targeted attacks.

Many analysts note that most infections occur as a result of insecure RDP (Remote Desktop Protocol) settings, but it is also feasible that attackers use legitimate update packages and other software used in the industrial environment as a propagation vector, providing them interactive access to infected computers. The use of other common means of spreading malware, such as spam with malicious attachments, cannot be ruled out.

Unlike other ransomware targeting IT teams, which try to spread as fast as possible and infect as many computers as possible, Ekans does not have replication routines in its design. To spread in the attacked infrastructure it runs scripts that are launched when accessing the computer, in interactive mode, or other techniques, such as scheduling tasks. Cybercriminals hope to compromise infrastructure by leveraging the administration capabilities provided by the Windows domain, through AD (Active Directory) and other management mechanisms specific to Microsoft operating systems, to reach as many computers as possible simultaneously.

General operation

After the binary file has infected the computer, the first step is to check if the mutex value (identifier used by the malicious code to check if a system has already been infected) "GlobalEKANS" exists on the computer. If mutex is already in the system, the malicious code will terminate its execution and the program will end with the message to the victim that his computer has already been encrypted. With this in mind, the creation of a mutex in the system could be used to block the infection of this malicious code.

Otherwise, if the computer has not yet been attacked, it captures the mutex of that name and continues its execution, for the decryption of all the text strings used during the execution of the malicious code, but each string uses a different XOR key.

The ransomware code contains an extensive blacklist with names of processes and services related to SCADA systems, ICSs, virtual machines, remote management systems, network management applications, etc., so if it finds one running, it will proceed to stop it using TerminateProcess().

The next step is to disable the Microsoft Windows snapshot service, called VSS (Volume Shadow Copy), and remove the copies for restoration, in order to prevent the recovery of encrypted files from the backup generated by the service.
Once this step is completed, the payload of this malware tries to stop all aforementioned ICS-related processes and services, so the associated files targeted for encryption are no longer blocked and can be hijacked without fail.

Files to be encrypted are located by their extension, but operating system files are excluded from encryption so as not to completely disable the computer. A fairly representative list of directories, extensions and files that should not be encrypted in the process appears below:

  • Excluded paths:
    • %SystemDrive%
      • :$Recycle.Bin
      • :ProgramData
      • :UsersAll Users
      • :Program Files
      • :Local Settings
      • :Boot
      • :System Volume Information
      • :Recovery
      • AppData
      • Temp
    • %Windir%
  • Excluded extensions:
    • .docx
    • .dll
    • .exe
    • .sys
    • .mui
    • .tmp
    • .lnk
    • .config
    • .manifest
    • .tlb
    • .olb
    • .blf
    • .ico
    • .regtrans-ms
    • .devicemetadata-ms
    • .settingcontent-ms
    • .bat
    • .cmd
    • .ps1
  • Excluded files:
    • ntuser.dat
    • ntuser.ini
    • ntuser.dat.log1
    • ntuser.dat.log2
    • usrclass.dat
    • usrclass.dat.log1
    • usrclass.dat.log2
    • bootmgr
    • bootnxt
    • ntldr
    • ntdetect.com
    • boot.ini
    • bootfont.bin
    • bootsect.bak
    • desktop.ini
    • ctfmon.exe
    • iconcache.db
    • ntuser.dat
    • ntuser.dat.log
    • ntuser.ini
    • thumbs.db
    • desktop.ini
    • iconcache.db

File encryption

For the encryption process, it generates a unique 32-byte AES-256 key in CTR mode, with a 16-byte initialization vector, both randomly generated, using calls to the generic cryptographic API function called CryptGenRandom.

The malicious code uses GOB encryption to include the encrypted AES key, the initialization vector and the filename at the end of the encrypted file. This unique file key, in turn, is encrypted with the RSA-2048 public key embedded in its own binary. The files can only be decrypted if the private key is available.

Ekans' embedded RSA public key

- Figure 2. Ekans' embedded RSA public key. Source: GitHub. -

Every encrypted file is marked with the text string "EKANS" at the end of the file (EKANS is SNAKE backwards). Encrypted files are renamed by adding 5 random characters at the end. Ransomware first selects all the files it wants to encrypt, encrypts them and ultimately proceeds to rename them. This method prevents the victim from noticing the process of hijacking his files and intervening and aborting the operation before it is completed.

Ransom payment

In the ransom note, written in English in the newly generated Decrypt-Your-Files file.txt, which is located in two directories (one on the Windows installation root drive and one on the desktop), reports the data hijacking, providing some details about the encryption method used, with the aim of deterring the victim from any recovery attempt by decryption, and also provides an email address to contact the hijackers, usually associated with a protonmail-type domain, an encrypted email service, located in a variable that is resolved at runtime.

This email address is used by the attacker to exchange specific instructions with the victim to make the ransom payment without being exposed, as their users' mailboxes and messages are encrypted from end to end in the public domain.

Ekans ransom note

- Figure 3. Ekans ransom note. Source: Security Boulevard. -

Persistence

There is no evidence that this malware contains any persistence system routines.

Conclusions

As we have seen in this post, Ekans ransomware is specially designed to focus its attacks on ICS and the entire field related to industrial production.

As a result, the number of potential target systems is limited, but this does not diminish the importance of the threat. The interruption that it can cause, compromising critical systems in production and supply infrastructures, and affecting both the general public and different critical sectors, could have serious repercussions for the companies that suffer from it, having a serious reputational and economic impact.

We’ll continue in an upcoming blog post, in which we’ll detail the prevention, identification and response phases if you are affected by this ransomware.