Critical infrastructure, like power and water systems, face a number of cyber-security threats. Traditional ransomware variants can bring these systems down by encrypting files that are vital to their operation.
However, a new variant poses an even greater risk to critical infrastructure. The Ekans ransomware is designed specifically to take down critical services, making anti-ransomware protection even more important in these environments.
Inside the Ransomware Threat
Ransomware is a well-known threat made famous by the WannaCry worm. The success of the 2017 WannaCry outbreak has inspired a rash of attacks and new ransomware variants in recent years.
This cybersecurity threat depends upon encryption algorithms, and this functionality is very easy for ransomware authors to implement. Modern encryption algorithms are well-defined and designed to be secure against all known attacks. These algorithms are widely published, making it easy to include them in malware or even to take advantage of built-in cryptographic libraries on infected computers.
These encryption algorithms are designed to make it impossible to read the encrypted data without access to the decryption key. This is perfect for ransomware authors, who can encrypt files on an infected machine and only need to retain a small amount of data per victim: their unique encryption key.
If the demanded ransom is paid, the attacker provides the victim with a decryptor and the key for their files, and they are theoretically able to regain access to all of their lost files.
Ransomware is Already Destructive
In theory, a ransomware attack is relatively straightforward and does little damage to the victim’s systems if they decide to pay the ransom. In reality, even those who decide to pay experience significant hardships beyond the financial cost of the ransom.
The first of these is the loss of productivity caused by the ransomware outbreak. Even if the user decides to pay immediately, they lose access to their data for the time it takes to acquire the necessary amount of cryptocurrency, transfer it to the attacker, receive their decryption key, and decrypt all of their files.
Depending on the amount of the ransom demand, the responsiveness of the attacker, and the number of files and systems encrypted, the time this takes could cause the loss of days or weeks of revenue.
Also, if the victim decides to pay, there is no guarantee that they will actually get their files back. Since the victim is completely at the mercy of the attacker, they may pay the ransom and receive no decryption key in return.
In the case of the NotPetya, the malware masqueraded as ransomware but was actually a wiper. There was no code in the malware to send a decryption key to the attacker to hold for ransom, so they had no way of providing it even if the victim did pay.
Even if the ransomware operator is operating in “good faith”, things can go wrong. The Ryuk ransomware variant, which is commonly used for attacking large enterprises, included a flaw in the decryptor that dropped the last byte of any encrypted file. For some files, this byte is unnecessary padding, so the impact was minimal. For others, this byte is critical to the function of the file, so it was lost forever the second that Ryuk encrypted it and deleted the backups.
New Ransomware Targets Critical Infrastructure
For these reasons, among others, ransomware attacks are already extremely destructive to their victims, even under the best of circumstances. However, some variants are now including additional functionality to bring the damage to a new level.
Recently, a new ransomware variant called Ekans has been discovered targeting critical infrastructure. For these systems, which include power generation, water treatment, and hospitals, even the normal loss of productivity associated with a ransomware attack can have a devastating impact. A loss of power in the middle of winter or lack of access to drinkable water in the heat of summer can cause illness or even death on a large scale.
These systems typically have already poor cybersecurity and operate in extremely fragile environments, where even the loss of a few systems can have a cascading impact. Ransomware targeting these systems can easily bring down a power plant or a water treatment facility if the wrong files are encrypted.
However, the Ekans ransomware is designed to ensure that a targeted critical infrastructure system fails when infected. Many of these systems run using similar components and software. The Ekans malware takes advantage of this by searching for and terminating programs commonly associated with critical infrastructure.
Detecting Ransomware Infections Through Behavioral Analysis
A normal ransomware infection can cause significant damage. On the wrong system, an Ekans infection can shut down a power plant or even cause physical damage to systems, forcing time-consuming and costly repairs. As a result, it is vital that ransomware infections be detected and remediated as quickly as possible in order to minimize their impacts on infected systems.
A good first line of defense is an antivirus system kept up to date with the latest malware signatures and with artificial intelligence designed to detect zero-day infections. However, even with the best system, there is a chance that something may slip through the cracks.
For this reason, anti-ransomware defenses that use behavioral analysis to detect infections provide a strong backup to an antivirus system. Ransomware exhibits unusual behavior – including file encryption and, now, killing critical processes – and behavioral analysis can identify and block these behaviors before any damage is done.