{
	"id": "959ee8aa-1e25-455c-b8dd-9af4cda88bbf",
	"created_at": "2026-04-06T03:35:56.220334Z",
	"updated_at": "2026-04-10T13:11:33.980738Z",
	"deleted_at": null,
	"sha1_hash": "2d15294bb7a0b661eb4888633c5ac793377793f1",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52925,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 03:12:57 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool EKANS\n Tool: EKANS\nNames\nEKANS\nSnake\nSNAKEHOSE\nCategory Malware\nType ICS malware, Ransomware, Big Game Hunting\nDescription\n(Dragos) EKANS ransomware emerged in mid-December 2019, and Dragos published a\nprivate report to Dragos WorldView Threat Intelligence customers early January 2020.\nWhile relatively straightforward as a ransomware sample in terms of encrypting files\nand displaying a ransom note, EKANS featured additional functionality to forcibly stop\na number of processes, including multiple items related to ICS operations. While all\nindications at present show a relatively primitive attack mechanism on control system\nnetworks, the specificity of processes listed in a static “kill list” shows a level of\nintentionality previously absent from ransomware targeting the industrial space. ICS\nasset owners and operators are therefore strongly encouraged to review their attack\nsurface and determine mechanisms to deliver and distribute disruptive malware, such as\nransomware, with ICS-specific characteristics.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Playbook https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8236a50f-f937-4e6e-b935-8dea58971dfa\nPage 1 of 2\n\nLast change to this tool card: 30 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool EKANS\r\nChanged Name Country Observed\r\nUnknown groups\r\n  _[ Interesting malware not linked to an actor yet ]_  \r\n1 group listed (0 APT, 0 other, 1 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8236a50f-f937-4e6e-b935-8dea58971dfa\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8236a50f-f937-4e6e-b935-8dea58971dfa\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8236a50f-f937-4e6e-b935-8dea58971dfa"
	],
	"report_names": [
		"listgroups.cgi?u=8236a50f-f937-4e6e-b935-8dea58971dfa"
	],
	"threat_actors": [],
	"ts_created_at": 1775446556,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2d15294bb7a0b661eb4888633c5ac793377793f1.pdf",
		"text": "https://archive.orkl.eu/2d15294bb7a0b661eb4888633c5ac793377793f1.txt",
		"img": "https://archive.orkl.eu/2d15294bb7a0b661eb4888633c5ac793377793f1.jpg"
	}
}