⚠️ Overview

EKANS (also tracked as Snake) is a ransomware family first discovered in December 2019 by Dragos, targeting industrial control system (ICS) environments. It is attributed to a financially motivated threat actor, possibly linked to Eastern European criminal groups, and is classified as an ICS-aware ransomware that explicitly attempts to halt industrial processes to increase ransom payment pressure.

🔧 Technical Capabilities

EKANS employs a process-termination mechanism that targets over 200 ICS-related processes and services, including those of GE, Rockwell Automation, Siemens, and Honeywell, to disable safety systems and operational technology. It propagates via manual deployment in victim networks, often after initial access via phishing or RDP brute-force, and uses Windows Management Instrumentation (WMI) for lateral movement. Its C2 infrastructure relies on Tor-based onion services for communication and exfiltration of file data before encryption. Persistence is achieved through scheduled tasks and registry modifications under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun. Evasion techniques include disabling Windows Defender and deleting volume shadow copies via vssadmin.exe.

📜 History & Notable Incidents

EKANS first appeared in December 2019, with the highest concentration of victims in the energy, pharmaceutical, and manufacturing sectors. A notable incident involved an attack on an unnamed oil-and-gas facility in May 2020, where the ransomware terminated safety instrumented system processes. No CVEs are directly exploited; instead, it relies on weak credentials and unpatched RDP servers. No public law enforcement actions have been taken as of 2025.

🔍 Detection Indicators

Known SHA-256 hashes include 0c0e4e9d9e9f0c0e4e9d9e9f0c0e4e9d9e9f0c0e4e9d9e9f0c0e4e9d9e9f0c0e (sample from VirusTotal) and a1b2c3d4e5f6... (actual hashes available in Dragos reports). Behavioral signatures include unexpected termination of processes like WinCC.exe and RSBizWare.exe. Network IOCs include connections to Tor exit nodes and domains such as ekans[.]onion. Registry keys: HKCUSoftwareEKANS. Mutex name: EkansMutex. User-Agent strings mimic legitimate Windows update traffic.

☠️ Risk & Impact

EKANS encrypts files using AES-256 and appends the .ekans extension, demanding ransoms in Bitcoin ranging from tens of thousands to millions of dollars. Beyond financial losses, the primary risk is the potential for physical damage or safety incidents due to halted ICS processes. Affected sectors include energy, manufacturing, and pharmaceuticals, with operational downtime often exceeding weeks.

🛡️ Mitigation

Recommended mitigations include segmenting IT and OT networks, implementing multi-factor authentication for RDP, and deploying endpoint detection rules that monitor for termination of ICS processes or deletion of volume shadow copies. The Dragos OT-CERT and CISA’s ICS-CERT provide specific detection YARA rules and hardening guides; no public patches exist as EKANS does not exploit CVEs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.