Ekans ransomware: prevention, detection and response
In the first part dedicated to Ekans ransomware we introduced its main features and explained its operation. Now we’re going to dig deeper into other important aspects.
Prevention
The best way to protect ourselves from any malware cyberattack is prevention. The most useful and effective recommendations and good practices to prevent computers from being infected with ransomware, or to mitigate the negative effects if it happens, are the following:
- Keep applications and the operating system updated. As far as possible, due to the characteristics and operation of SCADA systems, regularly apply the patches and updates that operating system and software manufacturers periodically release to fix potential vulnerabilities that malware exploits in order to spread and run on computers.
- Make backups often and keep them on offline media (offline backup), such as removable hard disks. Thus, the information is beyond the reach of a possible infection and can be recovered safely. Backups should also include the configurations of the computers.
- Principle of minimal privilege. Avoid using accounts with administrator privileges on the computers. Assign ICS operators with the minimum required permissions to run the programs and carry out their activities, in the same way as service accounts. This way, if the malware is executed, it will be limited to the possible changes and actions it tries to carry out on the infected computer. Most of the threats against Windows can be prevented by using non-privileged credentials.
- Keep antivirus software always updated and running. Whenever possible, antivirus software should be installed and maintained in ICS (Industrial Control Systems), as they stop most actions attempted by any type of suspicious software. Its deactivation leaves the door open to the propagation and execution of malicious code. Likewise, the antivirus program’s effectiveness is directly related to updating its malicious code signatures, so a procedure for automatically updating recognition patterns must be implemented.
- Minimize exposure. Avoid, or at least limit, exposure to outside of the production plant's ICS by not allowing access from the outside or, if necessary, by using a secure VPN system that grants access exclusively to applications and services that are strictly necessary.
- OT network segregation. By properly separating the environments, we can prevent the spread of malware from the IT environment to the interconnected devices in the OT network. The segmentation of subnets in this environment, in turn, can stop the distribution of malware and other attacks directed at SCADA devices.
- Strengthening remote access security. The execution of this ransomware requires action from an operator. It is necessary to strengthen the security of remote access enabled on computers, mainly those with an Internet presence, by limiting the user accounts that can perform such access, defining a strong password for these accounts and using a second factor on all remote accesses.
- Monitoring. Analyze network traffic to have an early alert mechanism in identifying unknown executable file transfers within the network. SCADA network traffic is highly distinctive and the circulation of suspicious files is relatively easy.
- Raising awareness. People who manage and operate SCADA systems must be very aware of the risk posed by malware and have clear guidelines for identifying suspicious software that may be the cause of possible infections and attacks.
At the corporate level, it is also strongly advised to adopt the following recommendations to deal with a possible ransomware attack:
- Keep policies and procedures updated, especially those related to incident management, evidence collection, forensic analysis and system recovery.
- Organize and train a technical team capable of providing an effective and rapid response to security incidents of this kind, or hire external services to perform this task.
- Have updated contact information for members of the response team, like internal staff, as well as other external assistance technicians, who may be involved in cyberincident management.
- Run simulations of this type of incident in order to train and improve skills and validate the technical, operational, management and coordination procedures of the technical security incident response team.
- Prepare a risk analysis that reflects this threat and include its management in the treatment plan to enable its mitigation.
Detection
To provide an effective response to possible cases of infection by this ransomware, rapid detection is crucial. This malicious code contains various functions that hinder its detection by antivirus and other security software, such as intrusion detection systems (IDS).
The symptoms that can reveal a computer’s infection with Ekans are:
- Appearance of the ransom note on the desktop.
- Unexpected loss of connection between ICS devices.
- Low computer performance.
- Unusually high activity on the hard drive.
- Unexpected stoppage of numerous processes and services on the computers.
- Unexpected remote access events.
- Security alerts from the operating system or antivirus solutions.
- Unforeseen programmed tasks.
- Figure 1. Ekans ransom note. Source: Security Boulevard. -
Response
If you suspect you have been a victim of Ekans or any other type of ransomware, it is crucial to act quickly. If one or more computers become infected for any reason, the response procedures that are carried out can limit the consequences of the incident and restart the activity as quickly as possible.
After detecting the incident and having verified that it’s a ransomware attack, the recommended response procedure is one that brings together the containment, mitigation, recovery and post-incident phases. Each of these phases are detailed below.
Containment
Due to the design and operating characteristics of Ekans, it is not necessary to apply specific measures for its containment, and the recommended actions are those applicable to ransomware cyberattack incidents in general.
If suspicions are confirmed or there is clear evidence that an attack by this ransomware is taking place, the steps to follow are:
- Isolate the infected device: ransomware affecting a device is a moderate problem. If malware spreads to other computers, it can mean the complete shutdown of the system and the activity associated with it. Therefore, reaction time is crucial. In order to guarantee the security of the entire system, it’s vital to disconnect the infected device from the network, the Internet and the rest of devices as quickly as possible. The sooner this is done, the less likely it is that other computers will be infected.
- Stop the spread: malware spreads quickly, and the computer on which the ransomware was found is not necessarily its point of penetration. Immediate isolation of an infected computer will not guarantee that ransomware does not exist on other interconnected devices. To effectively limit the scale of the spread, all devices where suspicious or abnormal behavior occurs, should be disconnected from the network. Disconnecting from wireless networks (Wi-Fi, Bluetooth, etc.) is also very helpful in containing the possible spread of malware.
- Assess the damages: to determine which devices have been infected, you should check for recently encrypted files with strange file extensions, names or processes that alert you to errors in opening files. If computers are identified that have not been fully encrypted, or where malware has failed, they should still be isolated and should be shut down to help contain the attack and prevent further damage and operational loss of the ICS.
- Locate the source of the infection: the incident response will be undertaken once its source has been identified. To do so, alerts coming from the antivirus, IDS or any active monitoring platform associated to the ICS must be checked. As the most widespread suspicion is that this ransomware penetrates through RDP connections, it is worth reviewing, mainly, the events associated with the logins of publicly exposed computers and those in internal networks.
- Identify the ransomware: it’s important to identify the ransomware variant that triggered the attack for mitigation and to confirm that it is Ekans. The most immediate check is to use the information included in the ransom note. If the ransomware variant is not identified, an Internet search engine can be used to collect information on the data contained in the ransom note, such as e-mail addresses. Another option is to consult specific pages specialized in ransomware identification, such as the ransomware helpdesk provided by INCIBE. It is also very useful to consult the manufacturer or distributor of the installed antivirus software, or those of other distributors. They make information for this identification, and even tools that allow the characterization of ransomware available to their customers and the general public. This is all based on sample encrypted files, which can be uploaded directly to these manufacturers' websites or downloaded to the local computer for recognition purposes. Ekans is characterized and antivirus manufacturers have tools for its identification and removal.
This identification task can be performed from INCIBE-CERT and its incident response service. Various sources have published indicators of commitment (IOC) associated with Ekans, including different hashes, but they are only applicable to samples identified in specific attacks, which, as indicated above, are customized to work only on a given victim. Once the ransomware variant has been identified and documented, the situation must be reported to the people involved in the ICS management and operation.
Mitigation
After identifying the ransomware variant as Ekans, the next step is to eradicate the infection by following the instructions gathered from specialized malware treatment sites, such as the manufacturer of the antivirus installed on the system. You can also contact the authorities and other bodies specialized in this type of incident, such as your reference CERT, to obtain help and recommendations for action. Usually, running virus removal tools is enough to eradicate malware from a computer. It should be remembered that no evidence has been found that this malware contains persistence routines.
In any case, as soon as the spread of ransomware has been contained, the incident should be reported to the relevant authorities. The spread of this type of malware is illegal and can have compliance implications with regulatory bodies so, like any other crime, it must be reported to the authorities.
Recovery
In order to restore the ICS kidnapped by Ekans, we should never consider the option of paying the ransom demanded by the threat actors, since it is illegal and encourages this type of crime by financing it with the payment. Furthermore, there is no guarantee of recovering operability after the payment. There are other ransomware variants for which tools capable of decrypting the files they hijack have been developed, but they have not yet been developed for this particular malware.
In this step, the available backups should be evaluated and the recovery process started, applying the contingency and recovery plans established for these situations. The quickest and easiest method to do this is to restore the computers and information, once the malware has been eradicated, by restoring the data and recently-created settings from a clean, complete, updated and uninfected backup.
Otherwise, the only alternative to overcome an attack from this type of malware is reinstallation from scratch, with all the implications that this process entails.
Postincident
Once the system has been restored and it is confirmed that there are no traces of ransomware, proceed to analyze what may have caused it, identify the vulnerabilities that could have been the input vector and define a plan of action that allows you to strengthen and correct the system weaknesses.
It is advisable to focus on systems accessible from the Internet, reviewing the need for their publication and reinforcing their security if public exposure is necessary. Equipment that operates on the internal network and has remote access enabled should also improve this security.
Conclusions
The best strategy to defend against cyberattacks is to be adopt a proactive approach and be prepared for them. Good anticipation could effectively prevent these from affecting us and to know how to act if they have not been prevented.
For this reason, in addition to implementing all available technical measures, it will be necessary for users to understand the recommendations and good practices for safe and responsible systems use, always using common sense.
Cybercriminals have found a niche for their information kidnapping attacks in computer systems associated with the productive environment, where the amount of ransom and the benefits of blackmail can be very high, in accordance with the impact they can cause on the attacked infrastructure. Therefore, companies in the industrial sector must adopt specific policies to implement ransomware incident response protocols for their IT network.