Ars Technica is reporting on a new type of ransomware that tampers with and stops critical infrastructure software, such as that used by gas refineries, power grids and dams.
Ransomware has become a multi-billion dollar plague, with some estimates placing the cost in 2019 at $7.5 billion. Hospitals, businesses, government agencies and universities have all been impacted. The usual M.O. for ransomware is to encrypt files on the target system and hold the files for ransom until the victim pays.
One of the latest ransomware strains, dubbed Ekans, may have far more chilling implications. According to Ars Technica, in addition to the traditional methods Ekans employs “researchers at security firm Dragos found something else that has the potential to be more disruptive: code that actively seeks out and forcibly stops applications used in industrial control systems, which is usually abbreviated as ICS. Before starting file-encryption operations, the ransomware kills processes listed by process name in a hard-coded list within the encoded strings of the malware.”
Fortunately, Ekans is relatively primitive and is likely to have minimal impact on ICS programs. As Ars Technica highlights, “Monday’s report described Ekans’ ICS targeting as minimal and crude because the malware simply kills various processes created by widely used ICS programs. That’s a key differentiator from ICS-targeting malware discovered over the past few years with the ability to do much more serious damage.”
Even so, this is a disturbing escalation in the cybersecurity wars, one that is likely the beginning of a new breed of ransomware.