{
	"id": "17e9263c-b21c-46e1-acfc-0387f24f2fc6",
	"created_at": "2026-04-10T03:21:12.391844Z",
	"updated_at": "2026-04-10T13:12:12.796981Z",
	"deleted_at": null,
	"sha1_hash": "350adb2139628661bb9380c07606dca36709704a",
	"title": "EKANS Ransomware Misconceptions and Misunderstandings",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64820,
	"plain_text": "EKANS Ransomware Misconceptions and Misunderstandings\r\nBy Dragos, Inc.\r\nPublished: 2020-06-18 · Archived: 2026-04-10 02:53:34 UTC\r\nSince its initial public disclosure by Vitali Kremez, MalwareHuntTeam, and others on 06 January 2020, [1] a\r\nrelatively new ransomware variant referred to as EKANS by Dragos has continued to operate against multiple,\r\nhigh-profile organizations. [2] Beginning in 2020, the following organizations have experienced at least attempted\r\nintrusions, if not outright disruption, traced to this ransomware variant:\r\nFresenius Group [3]\r\nHonda [4]\r\nEnel Group [5]\r\nThis group of identified activity likely represents a subset of behavior, as other events are either disputed or\r\nnonpublic at this time. [6] Irrespective of specific victimology, EKANS incorporates certain specific functionality\r\n– previously deployed via stand-alone scripts or supporting tools [7] – directly into a ransomware executable.\r\nAs EKANS continues to develop and present itself in high-profile events, several misconceptions and\r\nmisunderstandings have developed about the malware, its authors, and what it means for Industrial Control\r\nSystem (ICS) networks.\r\n1. Why EKANS, and how does EKANS relate to Snake, or Turla activity?\r\nWhen first reported in early January, the malware since referred to as EKANS by Dragos was labeled both\r\nEKANS and SNAKE by its original discoverers. On further analysis, Dragos referred to this malware as\r\n“EKANS” for several reasons:\r\nThe string “EKANS” is actually present in both the malware and in the malware’s operations on victim\r\nmachines (by creating and checking a mutex value to prevent reinfection of the same victim).\r\nWhile “EKANS” is “SNAKE” spelled backwards, the word “SNAKE” did not appear in any observable\r\naspect of the malware.\r\n“SNAKE” has a long-standing relationship with an existing threat actor, referred to variously as Turla,\r\nSNAKE, or VENOMOUS BEAR. [8] More significantly, this entity is associated with Russian state\r\nespionage activity and not ransomware deployment.\r\nWhile no consistent mechanism or convention exists for naming malware, Dragos adheres to the practice of\r\nnaming malware based on observables or details within obtained samples. The existence of a long-running, state-sponsored threat referred to as “SNAKE” is reason for caution in referring to a new ransomware variant by the\r\nsame name, if only to avoid confusion. Various outlets and individuals have already mistakenly made the\r\nconnection between EKANS ransomware and the Turla actor based on the “SNAKE” reference – confusion best\r\navoided given the possible repercussions of creating an unfounded link between these entities.\r\nhttps://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/\r\nPage 1 of 4\n\nGiven the potential consequences of linking a state-sponsored or -directed entity to multiple disruptive\r\nransomware events, Dragos finds the use of the “SNAKE” label not just inaccurate (as it is not present in the\r\nmalware), but dangerous as well. Ultimately, EKANS ransomware has no known, provable connection to the\r\nthreat actor variously referred to as SNAKE, Turla, VENOMOUS BEAR, or other names. While the original\r\ndiscoverers – Vitali Kremez and MalwareHunterTeam – reserve the right to name this activity, given the use of\r\nboth “SNAKE” and “EKANS” in public postings and the baggage associated with the former, Dragos emphasizes\r\nthe desirability of using the latter to avoid confusion with state-sponsored cyberespionage activity.\r\n2. How does EKANS impact ICS assets?\r\nSince discovery, several reports have emerged about EKANS’ notional abilities relative to industrial assets. [9]\r\nWhile EKANS features several functional characteristics keyed to industrial environments – specifically process\r\nkill functionality related to ICS data historians, licensing servers, and similar items – such functionality is\r\nrelatively simple, largely untargeted (given lack of variation in the list of process names targeted between\r\nvictims), and rather blunt in design.\r\nEKANS essentially internalizes an extensive process kill list associated with MegaCortex ransomware activity in\r\nmid- to late-2019, and potentially associated with LockerGoga events even earlier. Given obfuscation mechanisms\r\ndeployed, use in EKANS likely achieves a higher degree of defense evasion and functionality masking than these\r\nearlier examples. The only functionality associated with these items is forcibly killing a named process. This is\r\nmuch different than the subtle process manipulation and integrity destruction seen (or attempted by) events such\r\nas Stuxnet, CRASHOVERRIDE, or TRISIS. [10]\r\nDragos assesses with high-confidence that the process kill functionality built into EKANS is designed primarily to\r\nremove file locks from sensitive items – such as license keys or data stores –to extend the impact of a ransomware\r\nevent by encrypting these vital files. While deeply concerning, this is significantly different from modifications to\r\nan industrial process to produce a potential physical disruption. Based on identified functionality, the most\r\nconcerning aspect of EKANS is that its blunt, indiscriminate process termination functionality leads to unintended\r\nside effects in production environments.\r\n3. Is EKANS a state-sponsored or -directed activity against critical infrastructure?\r\nIn addition to the disambiguation with Turla provided above, other reports have surfaced allegedly linking\r\nEKANS activity to state-sponsored activity.[11] While the potential victimology in such reports may be accurate,\r\nties to state-sponsored activity rely on indefensible logical leaps that simply are not proven after further analysis.\r\n[12]\r\nAlthough Dragos cannot completely or definitively disprove that EKANS is part of a state-sponsored or -directed\r\neffort, the preponderance of evidence would indicate otherwise. Among other items, connection to past\r\nransomware activity, such as MegaCortex, combined with subsequent victims in unrelated industries and regions\r\nsuggests that EKANS as a potential disruptive tool tied to Iranian (or other) strategic interests, is at best, a very\r\nweak argument.\r\nhttps://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/\r\nPage 2 of 4\n\nAll available evidence at present indicates EKANS is a likely criminal activity designed for monetization, and not\r\na state-sponsored, disruptive campaign masquerading as ransomware.\r\n4. Given the above, is Dragos suggesting that EKANS is therefore not that\r\nsignificant?\r\nThe above statement does not reflect Dragos’ position in the slightest. In evaluating items like EKANS, we must\r\nensure balance between over-hyping threats out of proportion and minimizing activity so that it is not taken\r\nseriously. While EKANS is no Stuxnet or similar threat, EKANS does not resemble some sort of “play malware”\r\nthat just so happens to feature ICS-specific references.\r\nEKANS represents one aspect of a continued evolution by multiple ransomware entities toward targeting\r\nindustrial and critical infrastructure entities. Although relatively straightforward in behavior and functionality,\r\nEKANS remains a notable and significant threat to ICS operations. Even if its functionality is relatively “basic” in\r\nbeing limited to process termination, such activity performed at the wrong time or against the wrong system could\r\nlead to potentially disastrous process interruption. Although not designed to physically disrupt or destroy, malware\r\nsuch as EKANS brings the possibility of ICS-specific impacts from traditionally state-directed activity to likely\r\ncriminally-motivated actions.\r\nGiven the above, asset owners and operators should treat EKANS as a serious threat, and as a likely sign of\r\ncontinued evolution in ransomware operations. Malicious entities continue to refine their operations to target\r\nentities ranging from manufacturers through critical infrastructure providers, such as power and water utility\r\ncompanies. Such shifts are likely due to assumptions on the need to pay a ransom to ensure continuous operation\r\nby vital entities. Irrespective of motivation, ICS asset owners and operators are at increasing risk of ever more\r\nrefined malware operations targeting their organizations. Discounting the threat posed by items such as EKANS\r\ndue to a perceived lack of sophistication is not merely misguided but may potentially lead to operational disaster.\r\nICS asset owners and operators find themselves in an increasingly contested environment, with both state\r\nsponsored and criminally motivated entities interested in this operational space. To combat such efforts,\r\norganizations must invest in increasing visibility – across network, host, and process areas – and the ability to\r\nrespond and remediate potential disruptions. Only by identifying potential threats at the earliest possible instance\r\nand having the capacity to recover and restore operations to a recent known-good state can industrial operators\r\nforge resilience in the face of an ever-more hostile threat landscape.\r\nReferences:\r\n[1] Vitali Kremez (https://twitter.com/VK_Intel/status/1214333066245812224?s=20); SNAKE Ranswomare is the\r\nNext Threat Targeting Business Networks – BleepingComputer\r\n(https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/)\r\n[2] EKANS Ransomware and ICS Operations – Dragos (https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/); Dragos WorldView customers should consult TR-2020-02 EKANS\r\nRansomware and ICS Operations\r\n[3] European Health Care Giant Fresenius Group Grappling with Computer Virus – CyberScoop\r\nhttps://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/\r\nPage 3 of 4\n\n(https://www.cyberscoop.com/fresenius-health-care-cyberattack-coronavirus/); Dragos WorldView customers\r\nshould consult AA-2020-16 Ransomware Activity Impacting European Medical and Pharmaceutical\r\nManufacturing\r\n[4] Is There a “Snake” Under Honda’s Hood? – CISO Magazine (https://www.cisomag.com/honda-snake-ransomware-attack/#:~:text=Operations%20of%20the%20Japanese%20automobile,late%20hours%20of%20Sunday%20night.);\r\nSnake Ransomware Delivers Double-Strike on Honda, Energy Co. – ThreatPost (https://threatpost.com/snake-ransomware-honda-energy/156462/); Dragos WorldView customers should consult AA-2020-21 EKANS Activity\r\nat Multinational Manufacturing and Energy Companies\r\n[5] SNAKE Ransomware Affected Enel Group’s Internal Network – TripWire (https://www.tripwire.com/state-of-security/security-data-protection/snake-ransomware-affected-enel-groups-internal-network/); Snake Ransomware\r\nDelivers Double-Strike on Honda, Energy Co. – ThreatPost (https://threatpost.com/snake-ransomware-honda-energy/156462/); Dragos WorldView customers should consult AA-2020-21 EKANS Activity at Multinational\r\nManufacturing and Energy Companies\r\n[6] Getting the Story Right, and Why It Matters – Joe Slowik (https://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/)\r\n[7] New Version of MegaCortex Targets Business Disruption – Accenture (https://www.accenture.com/us-en/blogs/blogs-megacortex-business-disruption); Ransomware Against the Machine: How Adversaries are\r\nLearning to Disrupt Industrial Production by Targeting IT and OT – FireEye (https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html)\r\n[8] Turla – MITRE (https://attack.mitre.org/groups/G0010/); Meet CrowdStrike’s Adversary of the Month for\r\nMarch: VENOMOUS BEAR – CrowdStrike (https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/)\r\n[9] Honda Hackers May Have Used Tools Favored by Countries – The New York Times\r\n(https://www.nytimes.com/2020/06/12/business/ransomware-honda-hacking-factories.html)\r\n[10] Stuxnet to CRASHOVERRIDE to TRISIS: Evaluating the History and Future of Integrity-Based Attacks on\r\nIndustrial Environments – Joe Slowik, Dragos\r\n[11] Ransomware Linked to Iran, Targets Industrial Controls – Bloomberg\r\n(https://www.bloomberg.com/news/articles/2020-01-28/-snake-ransomware-linked-to-iran-targets-industrial-controls)\r\n[12] Getting the Story Right, and Why It Matters – Joe Slowik (https://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/)\r\nSource: https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/\r\nhttps://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/"
	],
	"report_names": [
		"ekans-ransomware-misconceptions-and-misunderstandings"
	],
	"threat_actors": [],
	"ts_created_at": 1775791272,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/350adb2139628661bb9380c07606dca36709704a.pdf",
		"text": "https://archive.orkl.eu/350adb2139628661bb9380c07606dca36709704a.txt",
		"img": "https://archive.orkl.eu/350adb2139628661bb9380c07606dca36709704a.jpg"
	}
}