Latest Threat Research: Technical Analysis: Killer Ultra Malware Targeting EDR Products in Ransomware Attacks

Get Informed


EKANS Ransomware Seen With New Capabilities

EKANS, the ransomware that is believed to be responsible for the attacks on Honda and Fresenius earlier this year, has been seen making rounds but with updated capabilities. EKANS is also referred to as Snake, but there is no indication that it is related to the nation-state Advanced Persistent Threat (APT) known as Snake or Turla. Relatively quiet since the Coronavirus pandemic caused most of the world to come to a halt, EKANS is back and it is able to disable the firewall on devices as well as kill processes from a specified list which will allow it to encrypt the associated files. The cyber security firm Deep Instinct is credited with the discovery of this new variant. Deep Instinct released an analysis, a portion of which read “Before initiating the encryption, Snake will utilize the Windows firewall in order to block any incoming and outgoing network connections on the victim’s machine that aren’t configured in the firewall. Windows built-in netsh tool will be used for this purpose. Disconnected from the outside world, Snake will kill the hardcoded processes that may interfere with the encryption. This list contains processes related to the industrial world and several security and backup solutions.” On top of all of that, if backups are discovered, EKANS will also delete those, making it very difficult for victims to recover their data.

Analyst Notes

Although keeping anti-virus solutions up to date is important, it’s only one part of a defense against intrusions and ransomware. Attackers evade detection by anti-virus products in targeted attacks simply by making small modifications to their malware before deploying it. Adopting an EDR (Endpoint Detection and Response) solution with continuous monitoring as part of their defense-in-depth strategy adds an additional layer of security by detecting attacker behaviors. SOC (Security Operations Center) analysts at Binary Defense work around the clock to monitor client workstations and detect threats to stop them before they become a bigger issue. Actively monitoring EDR tools also provide a strong defense against malware that attempts to use Windows Firewall to block communication, because the behavior can be detected on the endpoint and the firewall settings can be adjusted to still allow critical communication with security infrastructure. Keeping secure backups of files offline should also be considered so that they can be recovered if they become compromised and encrypted.