EKANS – 2020 Ransomware Targeting ICS

blast furnace

New Ransomware is Sign of Changing Methodology of ICS Cyberattacks

2020 is already proving to justify predictions of the necessity of increased cybersecurity coverage for industrial systems as a new  industrial ransomware emerged in mid-December 2019, targeting ICS systems. Referred to as the EKANS ransomware, the malware received this moniker because of a special marker tag .ekans left unencrypted at the end of fles the ransomware encrypts.


Similar to other ransomware such as MEGACORTEX and SNAKE, which are believed to be predecessors to EKANS, the new ransomware encrypts data and displays a note to victims demanding payment to release it. 



The EKANS ransomware is particularly noteworthy as previous industrial cyber events all featured IT-focused ransomware that spreads into control system environments. This is usually from enterprise mechanisms, whereas ICS-specific functionality is directly specified within this new EKANS malware. EKANS also potentially demonstrates in who the hackers are- traditionally ICS and ransomware attacks have been led by state sponsored agents, whereas this has no clear agent with a state agenda or motive aside from monetary gain. 

The possibility that industrial hacking tactics are becoming used by average criminals could dramatically affect business cybersecurity in the future as attacks become more commonplace, and resolution on who the players are can become more difficult to discern as well.