How Cybelius’ solutions counter this new malware that attacks industrial systems?
This ransomware was submitted for initial testing on Virustotal on December 26, 2019. Many variations were subsequently observed in different systems. Written in GO (programming language) this attack is quite classical, with the particularity of specifically targeting industrial applications.
EKANS is a ransomware that encrypts the victim’s files in exchange for a ransom, but it also includes features specific to industrial systems. Indeed, EKANS targets 64 software programs specific to industrial environments. These include GE Fanuc and Honeywell products, but also Microsoft and VMware.
The origin of the malware is still unclear, with several explanations that have so far been denied. Indeed Dragos claimed that this ransomware is linked with a second one named MegaCortex. This claim was later denied by the cyber security researcher, Vitali Kremez.
How can we avoid these attacks? Our Cybelius experts put forward three solutions
- Safety evaluation of the industrial system
Knowledge of one’s ICS system is essential to know the critical assets and vulnerabilities.
Cybelius proposes in its solution a Security Assessment, one of the features of which (the Technical Diagnosis) allows to identify system vulnerabilities. EKANS does not exploit a 0-day vulnerability, which means that the upstream analysis by Cybelius would have identified the missing security updates. Thus, the Cybelius service provides protection against this type of attack.
- CyFENCE: securing the industrial system
CyFENCE is a DMZ that strongly filters the exchanges of an ICS with the outside. It will prevent the EKANS ransomware from spreading in the industrial network thanks to the segmentation and filtering of flows, ensured by two layers of firewalls of different technology.
CyFENCE’s antivirus server is kept permanently update, and in this case the EKANS signature is known as soon as it is released on December 26th. CyFENCE will quickly detect the attack from the IT side and prevent it from spreading to the ICS. It will also report the events to the SIEM, thus triggering the chain of events from the first attempt of intrusion of the virus.
CyFENCE also provides network equipment backup, which allows for rapid recovery of compromised machines.
- CyPRES: real-time security monitoring
CyPRES is a probe that analyzes network flows and detects pattern deviations between conversations. In the case of this ransomware, if it directly contaminates a machine, CyPRES will immediately detect the emission disturbances of the contaminated machine and will alert the different actors of the alert chain, directly or via the SIEM.
Please note that if a virus uses a 0-day fault that escapes the anti-virus software, CyPRES detection, which only depends on behavior, will work with the same efficiency.
In addition, CyPRES registers suspicious network flows, that means that deviate from the usual patterns. These recordings are of great value for post-incident analyses.
Don’t wait any longer to protect your industrial system.