Skip to content

Hide Navigation Hide TOC

EKANS - S0605 (00e7d565-9883-4ee5-b642-8fd17fd6a3f5)

EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)

Cluster A Galaxy A Cluster B Galaxy B Level
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern EKANS - S0605 (00e7d565-9883-4ee5-b642-8fd17fd6a3f5) Malware 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern EKANS - S0605 (00e7d565-9883-4ee5-b642-8fd17fd6a3f5) Malware 1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern EKANS - S0605 (00e7d565-9883-4ee5-b642-8fd17fd6a3f5) Malware 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern EKANS - S0605 (00e7d565-9883-4ee5-b642-8fd17fd6a3f5) Malware 1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern EKANS - S0605 (00e7d565-9883-4ee5-b642-8fd17fd6a3f5) Malware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern EKANS - S0605 (00e7d565-9883-4ee5-b642-8fd17fd6a3f5) Malware 1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern EKANS - S0605 (00e7d565-9883-4ee5-b642-8fd17fd6a3f5) Malware 1
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern EKANS - S0605 (00e7d565-9883-4ee5-b642-8fd17fd6a3f5) Malware 1
EKANS - S0605 (00e7d565-9883-4ee5-b642-8fd17fd6a3f5) Malware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2