How New Ransomware Threats Target Critical Infrastructure

Just when the world thought it had finally figured out how to stop cybercriminals for good, a new threat arises: industrial control system (ICS) ransomware. It’s ransomware, but it’s unlike anything that has ever appeared in the business world before. In addition, threats spike during the coronavirus pandemic.

It’s commonly said that data is more valuable than oil, making it the most valuable resource in the world. That makes cybercrime big business, and hackers are proving that they’ll go to any length to get their hands on a company’s most sensitive information.

As businesses adapt to stay one step ahead of criminals, hackers, too, are becoming much more innovative with their approaches. Here’s what ICS ransomware is, why companies need to know about it, and how a managed network service provider can help an office stay safe.

What Is Industrial Control System Ransomware?

Industrial control system (ICS) ransomware is a type of malware that targets the processes and technologies that industrial companies use to manage their operations. In business, this involves enterprise software on the backend that never faces customers or the public.

Although ICS malware was first discovered in 2010, it has remained relatively rare in the business world. Instead, such attacks have primarily existed only in state-sponsored espionage and cyberattacks against the critical infrastructure of a country. For example, CrashOverride (Industroyer), targeted Ukraine’s power grid in 2016. Havex, another malware with an ICS component, targeted the pharmaceutical, defense, aviation, energy, and petrochemical sectors in the United States and Europe.

ICS ransomware represents an evolution in both ICS malware and ransomware histories. They’re unique in that they not only target industries constituting a country’s critical infrastructure, but they also seek to cash in on the lucrative business of holding company data ransom. (Corporate ransomware earns hackers around $1 billion annually). Although rare, this blending of two different types of malware makes them particularly difficult to detect, prevent, and handle.

A Closer Look at EKANS

Until December 2019, there were only four identified ICS malware programs out there – until EKANS came along. Named after a Pokémon, it appears at first as a more typical example of ransomware. It makes its way onto a network, encrypts files, then displays a ransom note on all infected machines.

However, that’s where similarities end. EKANS is unique in that it contains a static kill list, a set of targets related to various industrial control system operations. When these operations are encountered on a machine, the ransomware systematically kills them and prevents them from restarting.

Remarkably, no self-propagation method exists in EKANS, making it both a primitive but troubling piece of code. That means it doesn’t spread technologically like most ransomware, finding new targets on the network then duplicating and installing itself like a virus. Instead, its operations require an interactive launch or a script to be executed. That suggests that the hacker already has access to the network through more hands-on means.

ICS ransomware, though rare, is troubling because it suggests that hackers are beginning to gain a deeper awareness of ICS systems. Likewise, though EKANS currently needs to be manually installed on a network, its ability to kill ICS processes on both the computer and server levels means that it can deliver a significant amount of damage to a company very quickly.

Fight Cyberattacks With a Managed Service Provider

EKANS shows that cybersecurity is more important than ever for companies in all industrial sectors. For businesses with a hand in critical infrastructure, it’s now time to review the existing attack surface and seek to minimize it. Consider deploying a managed service provider to elevate the level of security on a company’s network. A managed provider can enhance defenses against threats like EKANS by:

  • Introducing 24/7 remote monitoring to detect and prevent attacks as they occur
  • Segment networks to make it harder to access ICS processes from the outside
  • Properly configure servers and platforms for maximum security
  • Improve access and authentication methods
  • Implement regular, automated backups of data and systems to prevent them from being held for ransom
  • Enhance network visibility to spot unauthorized access before it has a chance to cause harm

Smile and Say Goodbye to Cybersecurity Threats

In the era of cybercrime, no company is truly safe. The evolution of ICS ransomware shows that cybercriminals will go to any measure to access valuable data and destroy critical infrastructure. What was once primarily a tool in state-sponsored cyber warfare is now making its way into the business world. That’s scary, but by taking precautions, it’s possible to remain protected against this new threat.

A managed service provider can go a long way to helping a company prepare and defend against threats like EKANS. By stopping the physical actors in their tracks, ICS processes remain undisturbed and able to carry out the vital functions they’re designed to perform.

Smile can help companies elevate their cybersecurity strategy. Reach out now for a conversation about network security.