“Backwards SNAKE” ransomware is evolving to cause even more trouble

Attackers are making the EKANS ransomware  more difficult to find and stop.

This malware — the word “snake” backwards — targets industrial systems, adding an extra level of risk.

Watch here:

More Risky

Attackers are making the EKANS ransomware even better. Better for cyber crooks, worse for the rest of us.

This relatively new ransomware has an unusual skill — targeting machines in the riskier industrial settings, rather than just office computers.

“EKANS goes after industrial control systems, which is rarely seen in this threat landscape,” said Fred Gutierrez, senior security engineer with Fortinet. “EKANS attackers are definitely improving their tool.”

Cyber crooks used the tool to hit big industrial companies like Honda in June, shutting down plants around the world, according to news reports, as well as large energy company Enel Group.

Industrial cybersecurity experts say that ransomware affecting critical machines has the potential to cause dangerous consequences.

“School districts and whatnot are bad enough,” said Joe Slowik, threat analyst with cybersecurity company Dragos. “And now we start talking about infections that get into the possibility of creating actual damage and potential injury or worse in environments like this is pretty serious and it needs to be stopped.”


EKANS ransom note. Image: Sentinel Labs


Researchers have found that EKANS is evolving.

Gutierrez and colleague Ben Hunter looked at versions of EKANS from May, when an attack reportedly hit health care giant Fresenius that runs a third of all kidney dialysis in the U.S.

They compared it to EKANS in June, when Honda and Enel were attacked, finding that attackers are fixing code errors and adding new tricks.

Playing with Firewall

For one, EKANS can now control your firewall, the protective digital wall for networks.

It can turn the firewall on and off when needed to prevent anything from stopping the scrambling — or encryption — of the files.

Gutierrez said turning on the firewall allows attackers to isolate the infected machine.

“If anyone on the network was accessing files on the infected machine, such as a document or a database, then those files may not get encrypted, which is what EKANS wants to do in the first place,” he said in an email to Archer News.

In addition, turning on the firewall will help EKANS evade some security checks and antivirus scans, Gutierrez said.


EKANS code impacting firewalls. Image: Fortinet

Stalking Their Prey

The attackers also seem to be studying their victims before striking.

“The biggest advancement we saw in the different EKANS versions is that the attackers are custom-tailoring it to whomever they are targeting,” Gutierrez said.

It appears the attackers have learned what is running inside their victim’s networks and have crafted their tool to match.

“EKANS is an extremely targeted piece of ransomware. This makes it unique,” he said.

Moving Up

Attackers get many benefits from changing their malware.

Their sieges may be more successful, and they can hide from defenders and security tools more easily.

Victims will be more likely to pay.

And they can get more sales on the black market.

“New and improved” is good marketing on the dark web as well, as crooks offer up their tools or services for money.


EKANS changes firewall settings in its attack. Image: Fortinet


The “now with new features” version of EKANS had some success in June.

Honda said it would not provide details of the June 7 attack, but reports said the car maker shut down plants in Ohio, Turkey, India and Latin America.

“We have resumed production at all of our manufacturing plants,” Honda said to Archer News on June 29.


Honda posts about “technical difficulties” on June 8. Image: Twitter/Honda


EKANS briefly interrupted some computer operations at Enel on the same day, according to the energy company.

“The Enel Group informs that on the evening of Sunday, June 7th, it handled an attack on its IT network, originating from an attempt to spread a new variant of EKANS ransomware,” the company told Archer News in an email statement.

Enel said there were “no critical concerning the remote control systems of distribution infrastructure and power plants” and that customer data was not exposed.

“All internal IT services were rapidly and efficiently restored, allowing all business activities to run smoothly,” the statement said.

Protect Yourself

There are more details about the malware analysis and help for defenders in Gutierrez and Hunter’s post about EKANS.

Slowik recommended that company make a plan for dealing with a ransomware attack, including planning how to restore your data and how to recover from it.

Don’t count on paying ransom to get your data back, for many reasons, he said.

For example, attackers can hide something in your data that will cause problems in the future.

Other advice includes keeping your systems up-to-date and creating separation between resources to minimize a ransomware spread.


Slowik isn’t sure if the industrial part of EKANS is a lucky accident or intentional design.

Either way, this evolving snake could make more trouble for companies with industrial control systems, or ICS.

“Maybe it’s not intended to disrupt physical operations, but has the distinct possibility of doing so,” Slowik said. “And that’s very concerning.”


Main image: Snake on laptop. Image: Sonsedska/iStock

Leave a Reply