As if Coronavirus wasn’t enough to deal with, automaker Honda is now dealing with a cyber incident. On June 7th, Honda experienced a cyber incident that seen the EKANS Ransomware impact their Industrial Control Systems (ICS) which was responsible for interrupting production.
The EKANS Ransomware encrypts files on ICS devices and demands payment to unencrypt them. While Honda is the latest company to be hit with this, they’re unlikely to be the last.
Dragos who runs an ICS platform has a detailed post available here and explains that it initially learned of the new ransomware variant called SNAKE (EKANS backward) or “EKANS” back in early January, while further investigation revealed a relationship between EKANS and ransomware called MEGACORTEX.
How does EKANS work?
The malware first checks for the existence of a value in memory to determine if EKANS is already present, if not, it has found a new victim, the malware kicks off a process to start encrypting the drive using AES-256 and RSA-2048 algorithms.
Using Windows Management Interface (WMI) calls, EKANS begins executing encryption operations and removes Volume Shadow Copy backups on the victim.
To be most effective, EKANS will kill processes on the machine, listed by name in a hard-coded list within the encoded strings of the malware.
While some of the referenced processes appear to relate to security or management software (e.g., Qihoo 360 Safeguard and Microsoft System Center), the majority of the listed processes concern databases (e.g., Microsoft SQL Server), data backup solutions (e.g., IBM Tivoli), or ICS-related processes.
After files are encrypted, their filenames show a random five character file extension, rendering them useless to their source application.
EKANS then drops a ransom note on the active user’s desktop.
Who is impacted?
ICS produced include:
- GE’s Proficy data historian, with both client and server processes included.
- Additional ICS-specific functionality referenced includes GE Fanuc licensing server services
- Honeywell’s HMIWeb application.
- Remote monitoring (e.g., historian-like) or licensing server instance such as FLEXNet and Sentinel HASP license managers and ThingWorx Industrial Connectivity Suite.
If there’s one positive in this, it is that EKANS has no ability to inject commands into or otherwise manipulate ICS-related processes. This is important to understand given ICS is used not just in commercial applications like making vehicles, but is also used in a lot of critical infrastructure like utilities.
How to protect your ICS network
At present, Dragos says they are not aware of how EKANS distributes itself within victim networks. Primary defense against ransomware such as EKANS relies on preventing it from reaching or spreading through the network in the first place.
The best course of action is to ensure your business has a robust off-site backup routine that you can restore encrypted files from to restore operations.
While it may be tempting to just pay the ransom (we’re not sure of the amount in Honda’s case) to get your files unencrypted and business back online, there are no guarantees when it comes to cyber incidents. The last thing you want to do is encourage the behaviour and become known as someone who pays.
Cisomag has a quote from a Honda spokesperson who confirmed the incident.
“On Sunday, June 7, Honda experienced a disruption in its computer network that has caused a loss of connectivity. We have cancelled some production today (Monday, June 8) and are currently assessing the situation.
At this point, there is no effect on either Japanese production or dealer activities, and no customer impact.
In Europe, we are investigating to understand the nature of any impact. We can confirm some impact in Europe and are currently investigating the exact nature.”
It is also understood that Bahrainian national oil company Bapco was struck by the EKANS ransomware.