• A new form of ransomware meant to target industrial control systems (ICS) has been detected by Dragos, a Hanover, Maryland-based cybersecurity firm.
  • The threat, known both as Snake and Ekans, could affect manufacturing plants and utilities.
  • This is different from past instances of industrial meddling because the attackers appear to be cybercriminals, rather than state-sponsored hacks.

If you use electricity—or any utility for that matter—we have some bad news: a new type of ransomware that targets industrial control systems has been documented by a Hanover, Maryland-based cybersecurity firm called Dragos.

The file-encrypting malware—variously referred to as Snake or Ekans (not the Pokémon)—first appeared in December 2019. Dragos notes in its report that the ransomware threat appears to be "relatively straightforward" as it encrypts files and shows a ransom note on the screen, requesting payment to return control of computers. But there is something darker about this malware.

"While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static 'kill list' shows a level of intentionality previously absent from ransomware targeting the industrial space," according to the report.

This means hackers specifically built this malicious software for industrial environments like power grids, manufacturing plants, oil refineries, and sewage treatment plants. Past hacking attacks on industrial control systems—like the 2016 power blackout in Ukraine and the 2017 Triton attack at facility in the Middle Easthave been focused on IT systems before bleeding into industrial environments.

"The ICS-specific nature of the targeted processes indicates an evolving brazenness," Joe Slowik, principal adversary hunter at Dragos, told ZDNet.

Dragos found that Ekans could stop 64 different software processes on Windows systems, and many of them deal with specific industrial controls. Under this framework, a victim computers' data is encrypted and locked down, which could lead to broken monitoring systems for things like factory robots. This means there's no way to stop this equipment until the company pays a cryptocurrency ransom.

According to Dragos, this is the first real instance of file-encrypting malware made to specifically attack manufacturing and utilities environments, but it's not the first instance of ransomware attempts on industrial controls. The Triton malware attack in 2017 was the first time that malware attacked control and safety systems. It was meant to mess with Schneider Electric's emergency shutdown controllers and was only discovered because the attackers accidentally set off the malware and shut down the plant.

Of course, state actors have been attacking industrial systems for at least a decade. In 2010, malicious files created by the computer virus Stuxnet crippled Iran uranium-enriching centrifuges by attacking the computers controlling them. Then, the 2016 blackout in Ukraine left an electric transmission station north of Kiev out of commission for an hour.

While some reports have linked Ekans to Iran, following a lethal U.S. air strike that killed Iranian commander Qassem Soleimani, Dragos concluded that there is "no strong or compelling evidence" to link the malware with Iran.

Instead, this looks to be the work of independent cybercriminals seeking financial gain, something that will likely become more common in the future.

Headshot of Courtney Linder
Courtney Linder
Deputy Editor
Before joining Pop Mech, Courtney was the technology reporter at her hometown newspaper, the Pittsburgh Post-Gazette. She is a graduate of the University of Pittsburgh, where she studied English and economics. Her favorite topics include, but are not limited to: the giant squid, punk rock, and robotics. She lives in the Philly suburbs with her partner, her black cat, and towers upon towers of books.