{
	"id": "f4804d23-776b-4fba-9fcc-ded56b0360d9",
	"created_at": "2026-04-06T00:19:20.106726Z",
	"updated_at": "2026-04-10T03:22:00.913697Z",
	"deleted_at": null,
	"sha1_hash": "d6ec94ca287c9d2338b6d57ea509e2629ac55d7f",
	"title": "EKANS Ransomware: A Malware Targeting OT ICS Systems | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3892257,
	"plain_text": "EKANS Ransomware: A Malware Targeting OT ICS Systems |\r\nFortiGuard Labs\r\nPublished: 2020-07-01 · Archived: 2026-04-05 20:28:48 UTC\r\nAccording to the 2020 Verizon Data Breach Investigations Report, ransomware accounted for 27% of malware incidents in\r\n2019. This may not seem like a lot, but when you think of the impact it has on an organization you can understand why it’s\r\noften the malware that makes the news headlines. Over the last few years, the impact has worsened due to adversaries\r\nmoving to a more targeted attack method, rather than the traditional “spray and pray” method of infecting as many potential\r\nvictims as possible. \r\nThis up-front investment in time and resources has shown to be fruitful for attackers, especially as they focus on specific\r\nindustries, with healthcare as well as states and local governments emerging as high-profile targets during the course of\r\n2020. The latest industry targeted with ransomware is Industrial Control Systems/Operational Technology. This blog will\r\nbreak down at a high level the latest EKANS ransomware, general TTP trends, and related protections for targeted\r\nransomware attacks.\r\nAffected platforms: Windows Operating Systems\r\nImpacted parties: Industrial Control Systems and a variety of applications\r\nImpact: Data Encryption for Impact – Mitre ID:T1486\r\nSeverity level: High\r\nEKANS Ransomware \r\nThrough one of our trusted partnerships, FortiGuard Labs was provided with an EKANS sample to analyze around the end\r\nof May. A more recent June version was independently sourced by FortiGuard Labs.\r\nMD5 SHA256\r\nMay Variant\r\n47EBE9F8F5F73F07D456EC12BB49C75D 2ED3E37608E65BE8B6E8C59F8C93240BD0EFE9A60C08C21F4889C00EB6082\r\nJune Variant\r\nED3C05BDE9F0EA0F1321355B03AC42D0 D4DA69E424241C291C173C8B3756639C654432706E7DEF5025A649730868C4\r\nEach of these samples are written in the GO programming language. The GO programming language first appeared around\r\n2009 and has slowly gained popularity within the malware community. \r\nThe Difficulty of Analyzing EKANS Malware - “Go”ing to Create a Custom IDA Plugin\r\nOne of the advantages of GO is that the code can be easily compiled to work on different platforms and architectures, such\r\nas MacOS, Microsoft Windows, and the Linux operating system when compared to other programming languages. One of\r\nthe disadvantages, however, is that the binaries are noticeably larger in size. A simple “Hello World” program can produce a\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 1 of 27\n\nbinary 1 MB in size. To combat bulky file sizes, GO allows a programmer to strip binaries during compilation. Most of the\r\ninformation that gets removed is typically used by debuggers.\r\nAs it turns out, this size problem is actually helpful to malware authors. By having a larger file size, manual analysis will\r\ninevitably take longer. Moreover, it can easily be overlooked since typical malware files have a much smaller file size in the\r\nfirst place. By stripping the binaries of debugging information, malware analysts will have another stumbling block to\r\novercome. \r\nLooking at the given files closer, we can see that they are indeed stripped and offer no clues for the malware analyst.\r\nFigure 1. Number of Functions to Analyze\r\nThe typical malware may have hundreds of functions, and some will already be recognized in the malware analysis\r\nindustry’s unofficial default disassembler, IDA. With stripped GO binaries, however, IDA is unable to recognize normal\r\nlibrary files, leaving the malware analyst with more than 5000 functions to sift through. \r\nBecause of this problem, we developed an EKANS-specific IDA plugin in-house to help with analysis in conjunction with\r\nother GO-specific analysis techniques.\r\nFigure 2. Custom IDA Plugin Developed by FortiGuard Labs\r\nAs can be seen above, there are over 2100 encrypted strings, almost 2400 obfuscated function names, and over 1200 strings\r\nthat needed fixing in the May variant of EKANS.\r\nBoth of these variants perform all of the typical ransomware activities you would expect, such as encrypting files and\r\nleaving a ransom note telling the victim to contact them at a specified email address, to receive instructions on how to pay a\r\nransom and decrypt their files. But they also perform actions that are not so typical. Below is a high-level list of these\r\nactivities in sequence, with the main notable difference of turning off the host firewall, found in the June variant:\r\nConfirms Target Environment \r\nIsolates the Infected System (Host Firewall) \r\nThe public RSA Key used in the file encryption process is decoded\r\nIdentifies and Stops Specific Services and Processes\r\nDeletes Shadow Copy \r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 2 of 27\n\nEncrypts Files \r\nTurns Off Host Firewall\r\nFigure 3. High-Level Flow of EKANS ransomware functions\r\nIt is important to note that turning off the host firewall seems to have been a new addition to the malware family’s\r\nfunctionality. This was not present in the older May variant. Another interesting addition was to turn on the firewall before\r\nencrypting, probably to detect AVs and other defense solutions by blocking any communication from the agent.\r\nConfirming the Target Environment for EKANS Ransomware\r\nThe ransomware starts out by attempting to confirm its target by resolving the domain belonging to the victim’s company, as\r\nwell as comparing the resolved domain to a specific IP. If the domain/IP is not available, the routine exits. \r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 3 of 27\n\nFigure 4. Malware confirming its target\r\nLooking deeper into the environmental checks, we noticed that the May variant of EKANS tries to resolve the IP address of\r\nthe ADS.****.COM. The subdomain belongs to a global health care provider that specializes in the treatment of chronic\r\nkidney conditions.\r\nFigure 5. Subdomain IP Check\r\nThis subdomain does not seem to be publicly available, which means that the May variant will only execute if it has\r\ninfiltrated the network. If this is successful, then another check is performed. EKANS checks to see if “10.2.10.4” is the IP\r\naddress of this subdomain.\r\nFigure 6. IP Compare\r\nAnother piece of information that the May variant of EKANS is looking for is the current machine’s role within the domain.\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 4 of 27\n\nFigure 7. Domain Role Check\r\nA WMI query will be performed to determine this. Microsoft defines domain roles as the following.\r\n0 Standalone Workstation\r\n1 Member Workstation\r\n2 Standalone Server\r\n3 Member Server\r\n4 Backup Domain Controller\r\n5 Primary Domain Controller\r\nEKANS is apparently looking to infect a domain controller on the network. If successful, this can affect security\r\nauthentication requests within the network domain, thereby severely impacting networked users. With the aforementioned\r\ndata points, EKANS will have enough to build a proper mutex.\r\nFigure 8. Mutex Creation\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 5 of 27\n\nThe mutex will consist of the string “Global\\” appended with “EKANS” and a part of the IP string. On a side note, the\r\nauthor(s) of EKANS may be a fan of The Highlander movies/TV series where the phrase “there can be only one” was\r\npopularized.\r\nFigure 9. Exit Message\r\nIsolating a System Infected by EKANS Ransomware\r\nThe next step taken by the June variant of the ransomware that FortiGuard Labs engineers encountered was that the malware\r\nexecuted the following netsh commands in order to block any inbound and outbound traffic that might interfere with the\r\nencryption process:\r\nnetsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound\r\nnetsh advfirewall set allprofiles state on \r\nFigure 10. Malware isolating infected system\r\nFigure 11. netsh.exe running to change host firewall settings.\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 6 of 27\n\nDecoding EKANS Ransomware’s Public RSA Key\r\nNext, the malware goes through its encryption functions, which like many ransomware variants are embedded in the\r\nmalware. It encrypts data using RSA and by parsing the public key using the ParsePKCS1PublicKey function. It is XOR\r\ndecoded.\r\nFigure 12. RSA key decoded\r\nFigure 13. Public key being parsed by the ParsePKCS1PublicKey function\r\nEKANS Malware Identifies and Stops Services and Processes \r\nIn both variants, EKANS will decode strings associated with services and attempt to stop them. The May variant, for some\r\nreason, contains duplicate services.\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 7 of 27\n\nFigure 14. Service Redundancy\r\nOverall, there are nine services that are repeatedly decrypted in an attempt to stop them by the May variant of EKANS. They\r\nare: \r\nMSSQLFDLauncher$PROFXENGAGEMENT, ReportServer$TPS, SQLBrowser, MSSQLServerADHelper,\r\nSQLAgent$PROD, msftesql$PROD, SQLAgent$SOPHOS, VeeamEnterpriseManagerSvc, and ArcserveUDPPS\r\nAfter decoding all the required strings (see Appendix A), both variants of the ransomware open the SCM (OpenSCManager)\r\nand use EnumServicesStatusEx. It iterates on the services and stops any service contained in the decoded string list. \r\nThe service stop operation stops:\r\nOpenService (SC_MANAGER_ENUMERATE_SERVICE)\r\nServiceControl (SERVICE_CONTROL_STOP)\r\nServiceQuery \r\nFigure 15. Identifies and stops specific services.\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 8 of 27\n\nEKANS Also Identifies and Kills Processes \r\nThe ransomware then enumerates running processes and terminates each process within a predefined process list (See\r\nAppendix-B). The following code handles the process termination:\r\nFigure 16. Malware terminates specific processes.\r\nEKANS Deletes Shadow Copies\r\nEKANS then deletes shadow copies, which is done via WMI’s WbemScripting.SWbemNamedValueSet object. The query\r\nthat locates the shadow copies object is the regular:\r\nSELECT * FROM Win32_ShadowCopy\r\nThis is common behavior with ransomware to make it more difficult to recover files. There are many ways to achieve this. If\r\nyou’re interested in learning more, please read Ben Hunter’s “Stomping Shadow Copies – A second Look into Deletion\r\nMethods” blog. \r\nThe May variant accomplishes this by using COM programming. EKANS connects to the WMI service via COM objects in\r\norder to use shared libraries utilizing code similar to https://raw.githubusercontent.com/go-ole/go-ole/master/guid.go, which\r\nis used by various other legitimate GO software, as well as other malicious binaries.\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 9 of 27\n\nFigure 17. COM Objects Used\r\nEKANS Ransomware Encrypts Files \r\nBefore running the encryption function, the ransomware decodes the strings of all of the relevant file extensions to encrypt,\r\n(see Appendix-C). \r\nIn order to keep the system able to at least spin up and load, certain files and folders are skipped from the encrypting\r\nprocess. These files are avoided in the May variant of EKANS.\r\nFigure18. Files Avoided by the May Variant\r\nAt the same time, any files and folders that contain the following directories in their path are also skipped from the file\r\nencryption process by the May variant.\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 10 of 27\n\nFigure 19. Folders Avoided by May Variant\r\nThe following file types are also avoided by the May variant.\r\nFigure 20. File types Avoided by May Variant\r\nBoth variants also build the following regex used to exclude encryption targets.\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 11 of 27\n\nFigure 21. Malware excluding encryption targets\r\nHowever, during the actual file encryption process, the list of targeted file types is not actually checked by the May variant\r\nof the ransomware. The May variant will encrypt any file type as long as it does not violate any of its avoidance rules.\r\nThe encryption details seem identical to the operating methods described here: https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html\r\nA public RSA key is used to encrypt each of the AES keys used to encrypt files.\r\nFile encryption is via AES CTR mode, with a random key and a random IV.\r\nThe AES key is ciphered with RSA-OAEP, and uses ripemd160 as its hashing algorithm.\r\nThe AES encrypted key, along with the original file name, is encoded using GOB (an algorithm from Golang), and it\r\nis written at the end of the file.\r\nFirst, it enumerates all valid drive letters from A to Z using GetLogicalDriveStringsW. \r\nFigure 22. Drive Enumeration\r\nInterestingly enough, the code shown in the figure below shows that the May variant of EKANS only targets removable\r\ndrives (such as thumb drives) and fixed drives (such as hard disks or flash storage devices). They do not try to infect\r\nmachines on the network. \r\nFigure 23. Drive Types Targeted\r\nIt then creates multiple threads for such drives.\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 12 of 27\n\nFigure 24. Enumerating valid drive letters.\r\nEach thread then creates eight workers (threads) that perform the encryption. These workers use channels to sync\r\nthemselves. \r\nFigure 25. Threads performing encryption\r\nAfter creating the eight workers, the thread waits for them to finish. After all of them are done, it renames the files on the\r\nsystem by generating a random 5-digits string which is then appended to the file’s name.\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 13 of 27\n\nFigure 26. Malware renaming files.\r\nThe single file encryption flow is relatively simple:\r\nOpens a file\r\nChecks to see if it already has the EKANS stamp at the file’s end. If not, it encrypts the file via AES as seen in the\r\nfollowing loop:\r\nEncryption (it overwrites the file, not creating a new one)\r\nFirst, initiates a cipher:\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 14 of 27\n\nFigure 27. Malware initiates Cipher\r\nAfter the encryption process has completed, the May variant of EKANS drops the ransom note as “Decrypt-Your-Files.txt” either on the root system drive or on the user’s desktop. \r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 15 of 27\n\nFigure 28. Ransom Note\r\nFinally, EKANS Turns Off Host Firewall\r\nFor machines infected with the June variant, the ransomware ends with another command to turn off the firewall. \r\nEKANS Mitre TTPs\r\nExecution\r\nComponent Object Model and Distributed COM (Mitre ATT\u0026CK ID: T1175)\r\nEKANS executes WMI queries via COM objects\r\nDefense Evasion\r\nDisabling Security Tools (Mitre ATT\u0026CK ID: T1089)    \r\nEKANS attempts to disable processes and kill services (see Appendix)\r\nExecution Guardrails (Mitre ATT\u0026CK ID: T1480)\r\nEKANS will check network, IP, and domain role\r\nIndirect Command Execution (Mitre ATT\u0026CK ID: T1202)\r\nnetsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound\r\nnetsh advfirewall set allprofiles state on\r\nVirtualization/Sandbox Evasion (Mitre ATT\u0026CK ID: T1497)\r\nEKANS attempts to disable virtualization services and processes (see Appendix)\r\nDiscover\r\nFile and Directory Discovery (Mitre ATT\u0026CK ID: T1083)\r\nEKANS builds a list of files and directories that need to be encrypted\r\nPeripheral Device Discovery (Mitre ATT\u0026CK ID: T1120)\r\nEKANS will attempt to encrypt files on removable drives such as USB drives\r\nProcess Discovery (Mitre ATT\u0026CK ID: T1057)\r\nEKANS will attempt to terminate certain processes (see Appendix)\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 16 of 27\n\nSecurity Software Discovery (Mitre ATT\u0026CK ID: T1063)\r\nEKANS will attempt to disable certain security software (see Appendix)\r\nSoftware Discovery (Mitre ATT\u0026CK ID: T1518)\r\nEKANS will attempt to disable certain ICS processes (see Appendix)\r\nSystem Information Discovery (Mitre ATT\u0026CK ID: T1082)\r\nEKANS checks for the existence of a mutex\r\nEKANS checks for the system’s role in the domain\r\nSystem Network Configuration Discovery (Mitre ATT\u0026CK ID: T1049)\r\nEKANS queries the network to see if it is part of the targeted domain\r\nSystem Service Discovery (Mitre ATT\u0026CK ID: T1007)\r\nEKANS will attempt to halt certain services (see Appendix)\r\nVirtualization/Sandbox Evasion (Mitre ATT\u0026CK ID: T1497)\r\nEKANS attempts to disable virtualization services and processes (see Appendix)\r\nImpact\r\nData Encrypted for Impact (Mitre ATT\u0026CK ID: T1486)\r\nEKANS will encrypt certain files to be ransomed\r\nInhibit System Recovery (Mitre ATT\u0026CK ID: T1490)\r\nEKANS deletes shadow copies to prevent recovery of encrypted files\r\nNetwork Denial of Service (Mitre ATT\u0026CK ID: T1498)\r\nInfected domain controllers may prevent users from logging into the network\r\nService Stop (Mitre ATT\u0026CK ID: T1489)\r\nEKANS will attempt to halt certain services (see Appendix)\r\nGeneral TTP Trends \r\nUnderstanding the ransomware and some of its indicators of compromise (IOC), such as hashes, URLs, IP addresses, and\r\ndomains is a good first defense. But be warned that these IOCs often change and can circumvent legacy security controls.\r\nAnd because these attacks are more targeted, it’s also important to understand the activity the offensive operator takes once\r\nthey’re in the environment. If you can disrupt their plans prior to the malware executing, the better off you will be. While\r\nevery targeted attack is unique, there are some trends – especially in the way an attacker works – that if understood can\r\nprovide a better view into your ability to detect their attack methods and more effectively block them. \r\nLet’s take a look into some of the trends we often see from our FortiGuard Managed Detection and Response and Incident\r\nResponse Services. \r\nInitial Access\r\nThere are many ways to access a network, but the two we continue to observe are:\r\nExternal Remote Services (Mitre ATT\u0026CK ID:T1133)\r\nExploiting existing vulnerabilities and weak credentials on RDP sessions that are publicly exposed. \r\nSpear phishing Attachments and Links (Mitre ATT\u0026CK ID:T1193 and ID:T1192)\r\nThe malware delivery of choice these days is still by sending a spear phishing email.\r\nOS Credential Dumping \r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 17 of 27\n\nOnce the adversary establishes their initial access into the environment, they need to continue penetrating deeper into the\r\nnetwork. To do so, they first need the right access, which is why credential dumping is a common activity. There are many\r\ntechniques to achieve the dumping of credentials, as the Windows Operating System has many different places it stores or\r\ncaches its credentials. Below is one common technique we see as a trend:\r\nOS Credential Dumping – LSASS Memory (Mitre ATT\u0026CK ID:T1003.001)\r\nThe LSASS process stores credentials of users that are logged in to a system. Many tools are available to\r\nextract this credential information.\r\nIf you want to read more on OS Credential Dumping, please view our Offense and Defense – A Tale of Two Sides:\r\n(Windows) OS Credential Dumping blog. \r\nLateral Movement \r\nWhen the adversary has the right access to spread their malware from system to system, they simply need to copy and\r\nremotely execute the payload. One tool that can achieve just that is found on many Windows Operating Systems. It is called\r\nPSEXEC, which is part of the Sysinternals. This tool is used by many system admins to help administer the network, but it\r\nis also often used by the adversary. \r\nLateral Tool Transfer (Mitre ID:T1570)\r\nMany tools can be used to copy and remotely execute a piece of software. The PSEXEC tool is one of them.\r\nWhen psexec.exe runs, it will copy the psexecsvc.exe file to the remote system, which is used to start and run\r\nthe malicious software as a service. It’s also worth mentioning that it will use Windows admin shares such as\r\nC$, IPS$, ADMIN$.\r\nDefensive Evasion \r\nAs a security community, we have gotten better at identifying malicious software and tools. As a result, adversaries have had\r\nto take that into consideration by adding additional steps to disable defensive controls such as anti-malware, or by disabling\r\nWindows event logging. \r\nImpair Defenses - Disable or Modify Tools (Mitre ID:T1562.001)\r\nIf the adversary has administrator access it may be possible to uninstall or shutdown services such as\r\nMicrosoft Defender. They will uninstall the service, run their malware, and then reinstall the services. \r\nImpair Defenses - Disable Windows Event Logging (Mitre ID:T1562.002)\r\n Logs are a great source for detecting anomalies on your hosts, and companies are collecting these logs\r\ncentrally and monitoring them for those anomalies. To address this process, adversaries will disable event\r\nlogging or suppress logs so they can’t be viewed by the monitoring tool or process. \r\nDefensive Evasion/Privilege Escalation/Persistence \r\nEventually, the attacker will execute the ransomware (or malware in general) on targeted systems. An efficient way to do\r\nthis, if the attacker has access to the domain controllers, is to leverage group policies (GPO) and Windows login scripts.\r\nGPOs and login scripts are used by system admins for central management and OS configuration setting for users’\r\nenvironments. These tools, which are part of an Active Directory environment, are modified by an attacker to deploy and\r\nexecute their malware. \r\nGroup Policy Modification (GPO) (Mitre ID:T1484)\r\nThe attacker can create a group policy preference scheduled task policy within a Default Domain Policy that\r\nwill deliver the malware and execute it on all machines within the AD domain. \r\nBoot or Logon Initialization Scripts: Login Script – Windows (Mitre ID:T1037.001)\r\nBecause logon scripts can be run when users login to systems in an AD domain, an attacker can add their\r\nmalicious payload to the script to execute. \r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 18 of 27\n\nConclusion: Prepare for Ransomware Threats Beyond EKANS\r\nIn this blog we focused on not only one of the latest ransomware variants targeting ICS/OT environments, but also some of\r\nthe TTP trends our FortiGuard team has observed over the last year or two. We encourage you to take a look at not only the\r\ntechniques we described here, but also at the other techniques that are documented in the Mitre ATT\u0026CK knowledge base.\r\nThen start testing your current security controls against these techniques to ensure you can detect or protect against them. \r\nIf you find gaps, document them and use them as a guide to build a prioritized action plan for improvement. Lastly, if you\r\nare responsible for the ICS environment there is now a Mitre ATT\u0026CK ICS knowledge base specifically for adversary\r\nactions taking place in an Industrial Control System network. \r\nHow Fortinet Protects Organizations from EKANS\r\nFortinet offers a suite of platforms and services to help protect organizations from ransomware and malware, including\r\nEKANS. Here’s how it works:\r\nFortiEDR Platform: Identification \u0026 Blocking of EKANS\r\nFortinet’s FortiEDR Platform detects and blocks the EKANS malware. When activity tries to run, such as changing the\r\nWindows firewall settings or encrypting files, FortiEDR identifies and blocks the malicious activity. \r\nFigure 29. FortiEDR blocking malicious netsh.exe activity.\r\nFigure 30. FortiEDR identifying specific command line activity.\r\nFigure 31. FortiEDR blocking the file encryption activity.\r\nFortiGuard Anti-Virus Services \r\nThese ransomware variants are blocked with the signatures W32/Ekans.42D0!tr.ransom, W32/Ekans.C75D!tr.ransom, and\r\nW32/Ekans.62B8!tr.ransom. \r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 19 of 27\n\nFortiDeceptor: Deception-based Breach Protection\r\nFortiDeceptor allows organizations to rapidly create a fabricated deception network through the automatic deployment of\r\ndecoys and lures that seamlessly integrate with an existing IT/OT infrastructure, enticing attackers into revealing\r\nthemselves. FortiDeceptor helps serve as an early warning system by providing accurate detection that correlates an\r\nattacker’s activity details and lateral movement that feeds up to a broader threat campaign. Threat intelligence captured from\r\ndecoys is shared within the Security Fabric so automatic protection can be applied, disrupting attacks before any real\r\ndamage is done.\r\nAppendix A – Services Targeted by EKANS \r\nMay Variant\r\nAcronis VSS Provider, Enterprise Client Service, Sophos Agent, Sophos AutoUpdate Service, Sophos Clean Service,\r\nSophos Device Control Service, Sophos File Scanner Service, Sophos Health Service, Sophos MCS Agent, Sophos MCS\r\nClient, Sophos Message Router, Sophos Safestore Service, Sophos System Protection Service, Sophos Web Control Service,\r\nSQLsafe Backup Service, SQLsafe Filter Service, Symantec System Recovery, Veeam Backup Catalog Data Service,\r\nAcronisAgent, AcrSch2Svc, Antivirus, ARSM, BackupExecAgentAccelerator, BackupExecAgentBrowser,\r\nBackupExecDeviceMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService,\r\nBackupExecVSSProvider, bedbg, DCAgent, EPSecurityService, EPUpdateService, EraserSvc11710, EsgShKernel,\r\nFA_Scheduler, IISAdmin, IMAP4Svc, macmnsvc, masvc, MBAMService, MBEndpointAgent, McAfeeEngineService,\r\nMcAfeeFramework, McAfeeFrameworkMcAfeeFramework, McShield, McTaskManager, mfemms, mfevtp,\r\nmozyprobackup, MsDtsServer, MsDtsServer100, MsDtsServer110, MSExchangeES, MSExchangeIS, MSExchangeMGMT,\r\nMSExchangeMTA, MSExchangeSA, MSExchangeSRS, MSOLAP$SQL_2008, MSOLAP$SYSTEM_BGC,\r\nMSOLAP$TPS, MSOLAP$TPSAMA, MSSQL$BKUPEXEC, MSSQL$ECWDB2, MSSQL$PRACTICEMGT,\r\nMSSQL$PRACTTICEBGC, MSSQL$PROFXENGAGEMENT, MSSQL$SBSMONITORING, MSSQL$SHAREPOINT,\r\nMSSQL$SQL_2008, MSSQL$SYSTEM_BGC, MSSQL$TPS, MSSQL$TPSAMA, MSSQL$VEEAMSQL2008R2,\r\nMSSQL$VEEAMSQL2012, MSSQLFDLauncher, MSSQLFDLauncher$PROFXENGAGEMENT,\r\nMSSQLFDLauncher$SBSMONITORING, MSSQLFDLauncher$SHAREPOINT, MSSQLFDLauncher$SQL_2008,\r\nMSSQLFDLauncher$SYSTEM_BGC, MSSQLFDLauncher$TPS, MSSQLFDLauncher$TPSAMA, MSSQLSERVER,\r\nMSSQLServerADHelper100, MSSQLServerOLAPService, MySQL57, ntrtscan, OracleClientCache80, PDVFSService,\r\nPOP3Svc, ReportServer, ReportServer$SQL_2008, ReportServer$SYSTEM_BGC, ReportServer$TPS,\r\nReportServer$TPSAMA, RESvc, sacsvr, SamSs, SAVAdminService, SAVService, SDRSVC, SepMasterService, ShMonitor,\r\nSmcinst, SmcService, SMTPSvc, SNAC, SntpService, sophossps, SQLAgent$BKUPEXEC, SQLAgent$ECWDB2,\r\nSQLAgent$PRACTTICEBGC, SQLAgent$PRACTTICEMGT, SQLAgent$PROFXENGAGEMENT,\r\nSQLAgent$SBSMONITORING, SQLAgent$SHAREPOINT, SQLAgent$SQL_2008, SQLAgent$SYSTEM_BGC,\r\nSQLAgent$TPS, SQLAgent$TPSAMA, SQLAgent$VEEAMSQL2008R2, SQLAgent$VEEAMSQL2012, SQLBrowser,\r\nSQLSafeOLRService, SQLSERVERAGENT, SQLTELEMETRY, SQLTELEMETRY$ECWDB2, SQLWriter, SstpSvc,\r\nsvcGenericHost, swi_filter, swi_service, swi_update_64, TmCCSF, tmlisten, TrueKey, TrueKeyScheduler,\r\nTrueKeyServiceHelper, UI0Detect, VeeamBackupSvc, VeeamBrokerSvc, VeeamCatalogSvc, VeeamCloudSvc,\r\nVeeamDeploymentService, VeeamDeploySvc, VeeamEnterpriseManagerSvc, VeeamMountSvc, VeeamNFSSvc,\r\nVeeamRESTSvc, VeeamTransportSvc, W3Svc, wbengine, WRSVC, VeeamHvIntegrationSvc, swi_update,\r\nSQLAgent$CXDB, SQLAgent$CITRIX_METAFRAME, SQL Backups, MSSQL$PROD, Zoolz 2 Service,\r\nMSSQLServerADHelper, SQLAgent$PROD, msftesql$PROD, NetMsmqActivator, EhttpSrv, ekrn, ESHASRV,\r\nMSSQL$SOPHOS, SQLAgent$SOPHOS, klnagent, MSSQL$SQLEXPRESS, SQLAgent$SQLEXPRESS, kavfsslp,\r\nKAVFSGT, KAVFS, mfefire, avast! Antivirus, aswBcc, Avast Business Console Client Antivirus Service, mfewc,\r\nTelemetryserver, WdNisSvc, WinDefend, MCAFEETOMCATSRV530, MCAFEEEVENTPARSERSRV,\r\nMSSQLFDLauncher$ITRIS, MSSQL$EPOSERVER, MSSQL$ITRIS, SQLAgent$EPOSERVER, SQLAgent$ITRIS,\r\nSQLTELEMETRY$ITRIS, MsDtsServer130, SSISTELEMETRY130, MSSQLLaunchpad$ITRIS, BITS,\r\nBrokerInfrastructure, epag, EPIntegrationService, EPProtectedService, epredline, TmPfw, SentinelAgent,\r\nSentinelHelperService, LogProcessorService, SentinelStaticEngine, DB2GOVERNOR_DB2COPY1,\r\nDB2LICD_DB2COPY1, DB2MGMTSVC_DB2COPY1, DB2REMOTECMD_DB2COPY1, DB2DAS00, DB2-0,\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 20 of 27\n\nDB2INST2, IBMDataServerMgr, IBMDSServer41, MSSQL$CITRIX_METAFRAME, RumorServer, myAgtSvc, McAfee\r\nSiteAdvisor Enterprise Service, Alerter, ERSvc, Eventlog, ImapiService, NetDDE, NtLmSsp, NtmsSvc, odserv,\r\nSnowInventoryClient, TlntSvr, VMTools, VMware, WebClient, WinVNC4, BlueStripeCollector, Cissesrv, CpqRcmc3,\r\ngupdate, gupdatem, HealthService, NimbusWatcherService, ProLiantMonitor, SDD_Service, sysdown, System,\r\nGoogleChromeElevationService, bcrservice, ccEvtMgr, ccSetMgr, CSAdmin, CSAuth, CSDbSync, CSLog, CSMon,\r\nCSRadius, CSTacacs, Symantec, VGAuthService, SepMasterServiceMig, vmware-converter-agent, vmware-converter-server, vmware-converter-worker, avbackup, MSSQL$NET2, Net2ClientSvc, NetSvc, SQLAgent$NET2, tpautoconnsvc,\r\nTPVCGateway, VMwareCAFCommAmqpListener, VMwareCAFManagementAgentHost, AdobeARMservice, RSCDsvc,\r\nLRSDRVX, msvsmon90, IDriverT, MSMQ, MMS, MSSQLFDLauncher$PROFXENGAGEMENT, ReportServer$TPS,\r\nSQLBrowser, MSSQLServerADHelper, SQLAgent$PROD, msftesql$PROD, SQLAgent$SOPHOS, AVP,\r\nVeeamEnterpriseManagerSvc, MySQL80, MSSQL$ARCSERVE_APP, ArcserveUDPPS, CAARCAppSvc,\r\nCASDatastoreSvc, CASARPSWebSVC, CAARCUpdateSvc, ArcserveUDPPS, CASAD2DwebSvc, ASLogWatch, FireEye\r\nEndpoint Agent, nxlog, SplunkForwarder, SAP, MSSQL, MySQL, OracleService, oracleservice, mssql, Sophos, Veeam,\r\nCylance\r\nJune Variant\r\nAcrSch2Svc, Antivirus, ARSMbedbgDCAgent, EPUpdateService, EraserSvc11710, EsgShKernel, FA_Scheduler,\r\nIISAdminIMAP4Svcmacmnsvcmasvc, MBAMService, MBEndpointAgent, McAfeeFramework, McShieldmfemms,\r\nMcTaskManager, MsDtsServer, MsDtsServer100, MsDtsServer110, MSExchangeES, MSExchangeIS, MSExchangeMGMT,\r\nMSExchangeMTA, MSExchangeSA, MSExchangeSRS, MSSQLFDLauncher, MSSQLSERVER, ntrtscanPOP3Svc,\r\nPDVFSService, ReportServer, sacsvr, SamSs, SAVServiceSAVAdminService, SDRSVCShMonitor,\r\nSepMasterServiceSmcinstSMTPSvc, SmcService, SNACSntpService, SQLBrowser, SQLSERVERAGENT,\r\nSQLTELEMETRY, SQLWriter, svcGenericHost, swi_filterTmCCSFswi_service, swi_update_64, tmlistenTrueKey,\r\nTrueKeySchedulerUI0DetectW3Svc, VeeamBackupSvc, VeeamBrokerSvc, VeeamCatalogSvc, VeeamCloudSvc,\r\nVeeamDeploySvc, VeeamMountSvc, VeeamNFSSvc, VeeamRESTSvc, wbengineWRSVC, swi_update,\r\nNetMsmqActivatorEhttpSrvekrn, ESHASRV, KAVFSmfefire, Telemetryserver, WdNisSvcBITSepagWinDefend,\r\nMsDtsServer130, SSISTELEMETRY130epredlineTmPfw, SentinelAgent,\r\nDB2INST2myAgtSvcIBMDataServerMgrIBMDSServer41, RumorServer, AlerterERSvc, EventlogNetDDE, ImapiService,\r\nNtLmSspNtmsSvc, odservTlntSvr, VMTools, VMware, WebClientWinVNC4CissesrvCpqRcmc3gupdate,\r\ngupdatemHealthService, ProLiantMonitor, SDD_Service, sysdown, System, bcrservice, ccEvtMgrccSetMgrCSAdmin,\r\nCSAuth, CSDbSyncCSLog, CSMon, CSRadiusCSTacacsSymantecVGAuthService, avbackupNetSvc, Net2ClientSvc,\r\ntpautoconnsvc, TPVCGateway, AdobeARMservice, RSCDsvcLRSDRVX, msvsmon90, IDriverTMSMQMMS,\r\nMySQL80nxlogSAP, ArcserveUDPPS, CAARCAppSvc, CASDatastoreSvc, CASARPSWebSVC, CAARCUpdateSvc,\r\nArcserveUDPPS, CASAD2DwebSvc, ASLogWatch, SplunkForwarder, MSSQLMySQLmssql, OracleService, oracleservice,\r\nSophosVeeam, Cylance, OpenSCManagerW, BackupExecAgentAccelerator, BackupExecAgentBrowser,\r\nBackupExecDeviceMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService,\r\nBackupExecVSSProvider, EPSecurityService, McAfeeEngineService, McAfeeFrameworkMcAfeeFramework,\r\nMSSQLServerADHelper100, MSSQLServerOLAPService, OracleClientCache80, SQLSafeOLRService,\r\nTrueKeyServiceHelper, VeeamDeploymentService, VeeamEnterpriseManagerSvc, VeeamTransportSvc,\r\nVeeamHvIntegrationSvc, MSSQLServerADHelper, MCAFEETOMCATSRV530, MCAFEEEVENTPARSERSRV,\r\nBrokerInfrastructure, EPIntegrationService, EPProtectedService, SentinelHelperService, LogProcessorService,\r\nSentinelStaticEngine, DB2GOVERNOR_DB2COPY1, DB2MGMTSVC_DB2COPY1, DB2REMOTECMD_DB2COPY1,\r\nSnowInventoryClient, BlueStripeCollector, NimbusWatcherService, GoogleChromeElevationService,\r\nSepMasterServiceMig, VMwareCAFCommAmqpListener, VMwareCAFManagementAgentHost, MSSQLServerADHelper,\r\nVeeamEnterpriseManagerSvc\r\nAppendix B – EKANS Targeted Processes \r\nBelow is a list of every known process targeted by EKANS in May and June 2020.\r\nMay Variant\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 21 of 27\n\nccflic0.exe, ccflic4.exe, healthservice.exe, ilicensesvc.exe, nimbus.exe, prlicensemgr.exe, certificateprovider.exe,\r\nproficypublisherservice.exe, proficysts.exe, erlsrv.exe, vmtoolsd.exe, managementagenthost.exe, vgauthservice.exe,\r\nepmd.exe, hasplmv.exe, spooler.exe, hdb.exe, ntservices.exe, n.exe, monitoringhost.exe, win32sysinfo.exe, inet_gethost.exe,\r\ntaskhostw.exe, proficy administrator.exe, ntevl.exe, prproficymgr.exe, prrds.exe, prrouter.exe, prconfigmgr.exe,\r\nprgateway.exe, premailengine.exe, pralarmmgr.exe, prftpengine.exe, prcalculationmgr.exe, prprintserver.exe,\r\nprdatabasemgr.exe, preventmgr.exe, prreader.exe, prwriter.exe, prsummarymgr.exe, prstubber.exe, prschedulemgr.exe,\r\ncdm.exe, musnotificationux.exe, npmdagent.exe, client64.exe, keysvc.exe, server_eventlog.exe, proficyserver.exe,\r\nserver_runtime.exe, config_api_service.exe, fnplicensingservice.exe, workflowresttest.exe, proficyclient.exe, vmacthlp.exe,\r\nmsdtssrvr.exe, sqlservr.exe, msmdsrv.exe, reportingservicesservice.exe, dsmcsvc.exe, winvnc4.exe, client.exe, collwrap.exe,\r\nbluestripecollector.exe, sqlbrowser.exe, dsmcad.exe, nimcluster.exe, googleupdate.exe, smc.exe, bcrservice.exe, dbsrv9.exe,\r\nrtvscan.exe, bcreporter.exe, csadmin.exe, csdbsync.exe, csmon.exe, csauth.exe, cslog.exe, csradius.exe, cstacacs.exe,\r\nurl_response.exe, vmware-converter-a.exe, vmware-converter.exe, avagent.exe, paxton.net2.clientservice.exe,\r\npaxton.net2.commsserverservice.exe, avscc.exe, prunsrv.exe, googlecrashhandler.exe, googlecrashhandler64.exe,\r\nvmwaretray.exe, nd2svc.exe, tnslsnr.exe, omtsreco.exe, oracle.exe, patrolagent.exe, scfagent_64.exe, patrolperf.exe,\r\nrscdsvc.exe, rscd.exe, pmgreader.exe, firefox.exe, chrome.exe, netsession_win.exe, pcsws.exe, pcscm.exe, cwbunnav.exe,\r\nrdrcef.exe, ndrvx.exe, ndrvs.exe, dr_serviceengine.exe, teamviewer_service.exe, sqlagent.exe, dwrcst.exe, ccm\r\nmessaging.exe, zoolz.exe, agntsvc.exe, dbeng50.exe, dbsnmp.exe, encsvc.exe, excel.exe, firefoxconfig.exe, infopath.exe,\r\nisqlplussvc.exe, msaccess.exe, msftesql.exe, mspub.exe, mydesktopqos.exe, mydesktopservice.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, ocautoupds.exe, ocomm.exe, ocssd.exe, onenote.exe, outlook.exe, powerpnt.exe,\r\nsqbcoreservice.exe, sqlwriter.exe, steam.exe, synctime.exe, tbirdconfig.exe, thebat.exe, thebat64.exe, thunderbird.exe,\r\nvisio.exe, winword.exe, wordpad.exe, xfssvccon.exe, tmlisten.exe, pccntmon.exe, cntaosmgr.exe, ntrtscan.exe,\r\nmbamtray.exe, qhactivedefense.exe, qhwatchdog.exe, qhsafetray.exe, avgsvc.exe, avgui.exe, v3lite.exe, v3main.exe,\r\nv3sp.exe, avastui.exe, avastsvc.exe, avguard.exe, avshadow.exe, avgnt.exe, avira.servicehost.exe, avira.systray.exe,\r\nbdagent.exe, bdredline.exe, bdss.exe, bullguardbhvscanner.exe, bullguardscanner.exe, bullguardtray.exe,\r\nbullguardupdate.exe, bullguard.exe, cmdagent.exe, cistray.exe, cis.exe, spideragent.exe, dwengine.exe, dwarkdaemon.exe,\r\ndwnetfilter.exe, a2service.exe, a2guard.exe.a2start.exe, egui.exe, ekrn.exe, fshoster32.exe, fshoster64.exe,\r\nfortisslvpndaemon.exe, fortiesnac.exe, fortiwf.exe, fortitray.exe, fchelper64.exe, fortiproxy.exe, fcappdb.exe, fcdblog.exe,\r\navp.exe, avpui.exe, mbamservice.exe, mcsacore.exe, mcapexe.exe, mcshield.exe, mcsvhost.exe, nortonsecurity.exe,\r\npsuaservice.exe, psuamain.exe, psanhost.exe, sdrservice.exe, swc_service.exe, swi_service.exe, ssp.exe, ccsvchst.exe,\r\nsmcgui.exe, coreserviceshell.exe, coreframeworkhost.exe, uiwatchdog.exe, uiseagnt.exe, paamsrv.exe, psh_svc.exe,\r\naupdrun.exe, acaas.exe, acaegmgr.exe, acaif.exe, acais.exe, ahnsd.exe, ahnsdsv.exe, autoup.exe, v3clnsrv.exe, v3medic.exe,\r\nv3svc.exe, aflogvw.exe, ahnrpt.exe, atwsctsk.exe, v3exec.exe, v3imscn.exe, monsvcnt.exe, monsysnt.exe, aexnsrcvsvc.exe,\r\naexsvc.exe, atrshost.exe, ctdataload.exe, aexagentuihost.exe, aexnsagent.exe, aclntusr.exe, aexswdusr.exe, pxemtftp.exe,\r\naclient.exe, securitycenter.exe, starta.exe, stopa.exe, anvir.exe, csrss_tc.exe, ashavast.exe, ashbug.exe, ashchest.exe,\r\nashcmd.exe, ashdisp.exe, ashenhcd.exe, ashlogv.exe, ashmaisv.exe, ashpopwz.exe, ashquick.exe, ashserv.exe, ashsimp2.exe,\r\nashsimpl.exe, ashskpcc.exe, ashskpck.exe, ashupd.exe, ashwebsv.exe, aswdisp.exe, aswregsvr.exe, aswserv.exe,\r\naswupdsv.exe, aswwebsv.exe, avengine.exe, afwserv.exe, avastemupdate.exe, unsecapp.exe, avgamsvr.exe, avgas.exe,\r\navgcc32.exe, avgcc.exe, avgctrl.exe, avgdiag.exe, avgemc.exe, avgfws8.exe, avgfwsrv.exe, avginet.exe, avgmsvr.exe,\r\navgrssvc.exe, avgscanx.exe, avgserv9.exe, avgserv.exe, avgupd.exe, avgupdln.exe, avgupsvc.exe, avgvv.exe, avgwb.dat,\r\navgw.exe, avgwizfw.exe, guard.exe, avgcsrvx.exe, avgidsagent.exe, avgidsmonitor.exe, avgidsui.exe, avgidswatcher.exe,\r\navgam.exe, avgnsx.exe, avgfws9.exe, avgrsx.exe, avgtray.exe, avgwdsvc.exe, sidebar.exe, avgchsvx.exe, avgcmgr.exe,\r\navgemcx.exe, avgfws.exe, avgmfapx.exe, avgcefrend.exe, avgcsrva.exe, avgemca.exe, avgnsa.exe, avgrsa.exe,\r\nloggingserver.exe, toolbarupdater.exe, wtusystemsuport.exe, avgregcl.exe, avgsystx.exe, vprot.exe, avcenter.exe,\r\navconfig.exe, avesvc.exe, avmailc.exe, avmcdlg.exe, avnotify.exe, avscan.exe, guardgui.exe, avadmin.exe, avfwsvc.exe,\r\navwebgrd.exe, fwinst.exe, sysoptenginesvc.exe, bavtray.exe, bhipssvc.exe, bmrt.exe, seccenter.exe, gziface.exe, gzserv.exe,\r\nbdc.exe, bdlite.exe, bdmcon.exe, bdsubmit.exe, deloeminfs.exe, livesrv.exe, setloadorder.exe, vsserv.exe, xcommsvr.exe,\r\nbka.exe, bkavsystemserver.exe, blupro.exe, blackd.exe, blackice.exe, proutil.exe, rapapp.exe, basfipm.exe, isafe.exe,\r\ncavrid.exe, vetmsg.exe, amswmagt, caf.exe, capmuam, agt.exe, ccnfagent.exe, ccsmagtd.exe, cfftplugin.exe, cfnotsrvd.exe,\r\ncfsmsmd.exe, alert.exe, igateway.exe, inotask.exe, caantispyware.exe, caavcmdscan.exe, caav.exe, caavguiscan.exe,\r\ncafw.exe, calogdump.exe, capfaem.exe, capfsem.exe, cappactiveprotection.exe, casecuritycenter.exe, caunst.exe, cavrep.exe,\r\ncctray.exe, ccupdate.exe, isafinst.exe, itmrt_supportdiagnostics.exe, itmrtsvc.exe, itmrt_trace.exe, ppclean.exe,\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 22 of 27\n\numxagent.exe, umxcfg.exe, umxfwhlp.exe, umxpol.exe, unvet32.exe, capfasem.exe, ccprovsp.exe, ppctlpriv.exe, casc.exe,\r\nccschedulersvc.exe, ccsystemreport.exe, inonmsrv.exe, inoweb.exe, auth8021x.exe, krbcc32s.exe, pep.exe, realmon.exe,\r\nrepmgr64.exe, csacontrol.exe, leventmgr.exe, okclient.exe, clamscan.exe, clamtray.exe, clamwin.exe, ccemflsv.exe,\r\ncssauth.exe, cavscan.exe, clps.exe, clpsla.exe, clpsls.exe, cmdinstall.exe, cfpconfig.exe, cfp.exe, cfplogvw.exe, cfpsbmit.exe,\r\ncfpupdat.exe, crashrep.exe, cpf.exe, cfpconfg.exe, csfalconservice.exe, cylanceui.exe, cylancesvc.exe, cramtray.exe,\r\ncrssvc.exe, amsvc.exe, frzstate2k.exe, drwagnui.exe, drweb32.exe, drweb32w.exe, drweb386.exe, drwebcgp.exe,\r\ndrwebdc.exe, drweb.exe, drwebmng.exe, drwebscd.exe, drwebupw.exe, drwebwcl.exe, drwebwin.exe, drwinst.exe,\r\nspiderml.exe, spidernt.exe, spiderui.exe, drwagntd.exe, drwupgrade.exe, drwebcom.exe, eeyeevnt.exe, retinaengine.exe,\r\na2guard.exe, a2start.exe, administrator.exe, control_panel.exe, usergate.exe, esmagent.exe, era.exe, ppmcativedetection.exe,\r\nvettray.exe, cavtray.exe, inorpc.exe, inort.exe, ca.exe, caissdt.exe, etagent.exe, etloganalyzer.exe, etrssfeeds.exe,\r\nevtarmgr.exe, evtmgr.exe, etreporter.exe, etconsole3.exe, etwcontrolpanel.exe, useranalysis.exe, etcorrel.exe,\r\nevtprocessecfile.exe, etscheduler.exe, useractivity.exe, traptrackermgr.exe, ewidoctrl.exe, ewidoguard.exe,\r\nnslocollectorservice.exe, fmon.exe, fortifw.exe, update_task.exe, fpavserver.exe, fprottray.exe, fameh32.exe, fspex.exe,\r\nfsaa.exe, bwgo0000, fch32.exe, fih32.exe, fsaua.exe, fsav32.exe, fscuif.exe, fsdfwd.exe, fsgk32.exe, fsgk32st.exe,\r\nfsguidll.exe, fsguiexe.exe, fshdll32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, fsorsp.exe, fspc.exe, fsqh.exe, fssm32.exe,\r\nsetupguimngr.exe, tnbutil.exe, fsavgui.exe, gdscan.exe, avkproxy.exe, avkservice.exe, avktray.exe, avkwctl.exe,\r\ngdfirewalltray.exe, gdfwsvc.exe, endpointsecurity.exe, esecservice.exe, gfireporterservice.exe, esecagntservice.exe,\r\nrcsvcmon.exe, dolphincharge.e, dolphincharge.exe, loggetor.exe, netalertclient.exe, printdevice.exe, pwdfilthelp.exe,\r\npthosttr.exe, hpqwmiex.exe, ntcaagent.exe, ntcadaemon.exe, ntcaservice.exe, privacyiconclient.exe, rapuisvc.exe,\r\nvpatch.exe, tclproc.exe, isscsf.exe, issdaemon.exe, kvdetech.exe, kvmonxp_2.kxp, kvmonxp.kxp, kvolself.exe,\r\nkvsrvxp_1.exe, kvsrvxp.exe, kvxp.kxp, ppppwallrun.exe, avpcc.exe, avpexec.exe, avpm.exe, avpncc.exe, avps.exe,\r\navpupd.exe, kav.exe, kavisarv.exe, kavmm.exe, kavss.exe, kavsvc.exe, kis.exe, klnagent.exe, klswd.exe, klwtblfs.exe,\r\nkwsprod.exe, up2date.exe, klserver.exe, oespamtest.exe, kavadapterexe.exe, kavlotsingleton.exe, kavfsgt.exe, kavfsrcn.exe,\r\nkavfs.exe, kavfswp.exe, kavshell.exe, klnacserver.exe, avpdtagt.exe, netcfg.exe, kavfsscs.exe, kavtray.exe, persfw.exe,\r\navserver.exe, winroute.exe, wrctrl.exe, kabackreport.exe, kaccore.exe, kanmcmain.exe, kastray.exe, kislive.exe,\r\nkmailmon.exe, knupdatemain.exe, kswebshield.exe, kxeserv.exe, uplive.exe, kansgui.exe, kansvr.exe, kavstart.exe,\r\nkpfwsvc.exe, kwatch.exe, kav32.exe, kissvc.exe, kpfw32.exe, system.exe, wssfcmai.exe, aawservice.exe, ad-aware2007.exe,\r\nnlsvc.exe, engineserver.exe, eventparser.exe, log_qtine.exe, mfeann.exe, nailgpip.exe, rpcserv.exe, srvmon.exe,\r\nmcagent.exe, mfemactl.exe, macmnsvc.exe, masvc.exe, masalert.exe, msssrv.exe, massrv.exe, msscli.exe, mcshld9x.exe,\r\nmgavrtcl.exe, mcappins.exe, mfecanary.exe, macompatsvc.exe, mcvsrte.exe, mfefire.exe, dao_log.exe, firesvc.exe,\r\nfiretray.exe, mfeesp.exe, naprdmgr.exe, cpd.exe, mfefw.exe, frameworkservic, cmgrdian.exe, mcshell.exe, mfehcs.exe,\r\nmcinfo.exe, hwapi.exe, mcafeedatabackup.exe, mcmscsvc.exe, mcnasvc.exe, mcods.exe, mcpromgr.exe, mcproxy.exe,\r\nmcuimgr.exe, mpfsrv.exe, mpsevh.exe, mps.exe, msksrver.exe, redirsvc.exe, saservice.exe, siteadv.exe, mfemms.exe,\r\nneotrace.exe, vshwin32.exe, mpfagent.exe, mpfconsole.exe, mpf.exe, mpfservice.exe, mpftray.exe, mscifapp.exe,\r\nmfevtps.exe, qclean.exe, mcregwiz.exe, rssensor.exe, safeservice.exe, ncdaemon.exe, mcdash.exe, mcdetect.exe,\r\nssscheduler.exe, sahookmain.exe, mskdetct.exe, msksrvr.exe, mskagent.exe, stinger.exe, mcsysmon.exe, mctskshd.exe,\r\nmfetp.exe, myagttry.exe, mcupdmgr.exe, rulaunch.exe, mcvsshld.exe, tbmon.exe, alogserv.exe, mcmnhdlr.exe, mghtml.exe,\r\nedisk.exe, scan32.exe, frameworkservice.exe, mcconsol.exe, mcscript_inuse.exe, mctray.exe, mcupdate.exe, shstat.exe,\r\nudaterui.exe, updaterui.exe, mcepoc.exe, mcepocfg.exe, mcpalmcfg.exe, mcwcecfg.exe, mcwce.exe, frameworkservic.exe,\r\nvsmain.exe, oasclnt.exe, vsstat.exe, mcvsftsn.exe, avconsol.exe, avsynmgr.exe, vstskmgr.exe, webscanx.exe, mfewc.exe,\r\nmfewch.exe, giantantispywaremain.exe, giantantispywareupdater.exe, gcasservalert.exe, gcascleaner.exe,\r\ngcasinstallhelper.exe, gcasnotice.exe, gcasdtserv.exe, gcasserv.exe, gcasswupdater.exe, fcsms.exe, fcssas.exe, nissrv.exe,\r\ndpmra.exe, msseces.exe, wscntfy.exe, securitymanager.exe, aesecurityservice.exe, deteqt.agent.exe, omniagent.exe,\r\nnerosvc.exe, seanalyzertool.exe, spyemergency.exe, spyemergencysrv.exe, nlclient.exe, crdm.exe, nmagent.exe, ehttpsrv.exe,\r\nnod32.exe, nod32krn.exe, nod32kui.exe, nod32view.exe, cclaw.exe, elogsvc.exe, nip.exe, nipsvc.exe, njeeves.exe,\r\nnpfmsg2.exe, npfmsg.exe, npfsvice.exe, nrmenctb.exe, nvcoas.exe, nvcsched.exe, nymse.exe, zanda.exe, zlh.exe,\r\nixaptsvc.exe, ixavsvc.exe, ixfwsvc.exe, emlproui.exe, emlproxy.exe, mpsvc.exe, onlinent.exe, onlnsvc.exe, scanmsg.exe,\r\nscanwscs.exe, tsansrf.exe, tsatisy.exe, tscutynt.exe, tsmpnt.exe, upschd.exe, xfilter.exe, aps.exe, aus.exe, outpost.exe,\r\nadminserver.exe, avtask.exe, clshield.exe, console.exe, cpntsrv.exe, padfsvr.exe, pasystemtray.exe, pavfnsvr.exe, pavkre.exe,\r\npavprot.exe, pavreport.exe, pnmsrv.exe, psimsvc.exe, pavupg.exe, remupd.exe, iface.exe, pavfires.exe, pavmail.exe,\r\npavprsrv.exe, pavsched.exe, pavsrv50.exe, pavsrv51.exe, pavsrv52.exe, prevsrv.exe, tpsrv.exe, pagent.exe, pagentwd.exe,\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 23 of 27\n\npsctris.exe, apvxdwin.exe, inicio.exe, pavbckpt.exe, pavjobs.exe, psctrls.exe, pshost.exe, psimreal.exe, pskmssvc.exe,\r\nsrvload.exe, webproxy.exe, avltmain.exe, firewallgui.exe, pviewer.exe, pview.exe, pmon.exe, qoeloader.exe, fws.exe,\r\nccenter.exe, ravxp.exe, rfwproxy.exe, rfwstub.exe, knownsvr.exe, ras.exe, rasupd.exe, upfile.exe, rstray.exe, ravalert.exe,\r\nrav.exe, ravmond.exe, ravmon.exe, ravservice.exe, ravstub.exe, ravtask.exe, ravtray.exe, ravupdate.exe, rnreport.exe,\r\nrsnetsvr.exe, scanfrm.exe, rfwmain.exe, rfwsrv.exe, winlog.exe, omslogmanager.exe, snhwsrv.exe, snicheckadm.exe,\r\nsnichecksrv.exe, snicon.exe, snsrv.exe, smsx.exe, svcharge.exe, svdealer.exe, svframe.exe, svtray.exe, sschk.exe, trjscan.exe,\r\ntrupd.exe, ssecuritymanager.exe, dltray.exe, dlservice.exe, almon.exe, lmon.exe, savadminservice.exe, savservice.exe,\r\nsweepsrv.sys, swnetsup.exe, alsvc.exe, alupdate.exe, savmain.exe, sav32cli.exe, certificationmanagerservicent.exe,\r\nemlibupdateagentnt.exe, managementagentnt.exe, mgntsvc.exe, routernt.exe, schdsrvc.exe, scfmanager.exe, scfservice.exe,\r\nscftray.exe, op_viewer.exe, sgbhp.exe, pctsauxs.exe, pctsgui.exe, pctssvc.exe, pctstray.exe, regmech.exe, sdtrayapp.exe,\r\nsvcntaux.exe, swdsvc.exe, swnxt.exe, execstat.exe, seestat.exe, swserver.exe, slee81.exe, kpf4gui.exe, kpf4ss.exe,\r\nwrspysetup.exe, acctmgr.exe, alertsvc.exe, alunotify.exe, aluschedulersvc.exe, appsvc32.exe, ccap.exe, ccapp.exe,\r\nccevtmgr.exe, ccproxy.exe, ccpxysvc.exe, ccsetmgr.exe, checkup.exe, cka.exe, comhost.exe, cpdclnt.exe, csinject.exe,\r\ncsinsm32.exe, csinsmnt.exe, dbserv.exe, defwatch.exe, defwatch, diskmon.exe, djsnetcn.exe, doscan.exe, dwhwizrd.exe,\r\nfwcfg.exe, ghost_2.exe, ghosttray.exe, icepack.exe, idsinst.exe, ispwdsvc.exe, issvc.exe, isuac.exe, luall.exe,\r\nlucallbackproxy.exe, lucoms~1.exe, lucoms.exe, mcui32.exe, navapsvc.exe, navapw32.exe, navectrl.exe, navelog.exe,\r\nnavesp.exe, navshcom.exe, navw32.exe, navwnt.exe, ndetect.exe, ngctw32.exe, ngserver.exe, nisoptui.exe, nisserv.exe,\r\nnisum.exe, nmain.exe, npfmntor.exe, nprotect.exe, npscheck.exe, npssvc.exe, nscsrvce.exe, nsctop.exe, nsmdtr.exe,\r\nolfsnt40.exe, opscan.exe, poproxy.exe, pqibrowser.exe, pqv2isvc.exe, pxeservice.exe, qdcsfs.exe, qserver.exe,\r\nreportersvc.exe, rnav.exe, savfmsesp.exe, savroam.exe, savscan.exe, savui.exe, sbserv.exe, scan, explicit.exe, semsvc.exe,\r\nsesclu.exe, sevinst.exe, smsectrl.exe, smselog.exe, smsesjm.exe, smsesp.exe, smsesrv.exe, smsetask.exe, smseui.exe,\r\nsms.exe, sndmon.exe, sndsrvc.exe, spbbcsvc.exe, symlcsvc.exe, symproxysvc.exe, symsport.exe, symtray.exe, symwsc.exe,\r\nsysdoc32.exe, ucservice.exe, updtnv28.exe, urllstck.exe, usrprmpt.exe, v2iconsole.exe, vpc32.exe, vpdn_lu.exe,\r\nvprosvc.exe, wfxctl32.exe, wfxmod32.exe, wfxsnt40.exe, lucomserver.exe, savfmselog.exe, savfmsesjm.exe,\r\nsavfmsectrl.exe, savfmsespamstatsmanager.exe, savfmsesrv.exe, savfmsetask.exe, savfmseui.exe, snac.exe, ssm.exe,\r\nreportsvc.exe, vptray.exe, procexp.exe, tdimon.exe, tfun.exe, tfgui.exe, tfservice.exe, tftray.exe, tiaspn~1.exe, traflnsp.exe,\r\nasupport.exe, isntsmtp.exe, nsmdemf.exe, nsmdmon.exe, nsmdreal.exe, nsmdsch.exe, ofcdog.exe, pccnt.exe, pccntupd.exe,\r\npcctlcom.exe, pcscnsrv.exe, schupd.exe, tmntsrv.exe, tmpfw.exe, tmproxy.exe, tmas.exe, entitymain.exe, aphost.exe,\r\nlwdmserver.exe, mrf.exe, isntsysmonitor, ofcpfwsvc.exe, dwwin.exe, patch.exe, pccclient.exe, pccguide.exe, pcclient.exe,\r\npccpfw.exe, pcscan.exe, pntiomon.exe, pop3pack.exe, pop3trap.exe, scanmailoutlook.exe, smoutlookpack.exe,\r\nwebtrapnt.exe, euqmonitor.exe, smex_activeupda, smex_master.exe, smex_remoteconf, smex_systemwatc, svcgenerichost,\r\nspntsvc.exe, stopp.exe, stwatchdog.exe, usbguard.exe, uploadrecord.exe, sbamsvc.exe, vrvmail.exe, vrvmon.exe, vrvnet.exe,\r\nvrv.exe, wrsa.exe, networkagent.exe, websensecontrolservice.exe, mpcmdrun.exe, msascui.exe, msmpeng.exe,\r\nmspmspsv.exe, kb891711.exe, zavaux.exe, zavcore.exe, zillya.exe, zlclient.exe, vsmon.exe, forcefield.exe, iswmgr.exe,\r\nzapro.exe, zonealarm.exe, mantispm.exe, GDDServer.exe\r\nJune Variant\r\navsynmgr.exe, vstskmgr.exe, webscanx.exe, c.exe, ch.exe, gcascleaner.exe, gcasnotice.exe, gcasdtserv.exe, gcasserv.exe,\r\nfcsms.exe, fcssas.exe, nissrv.exe, dpmra.exe, msseces.exe, wscntfy.exe, deteqt.agent.exeomniagent.exe, nerosvc.exe,\r\nspyemergency.exenlclient.exe, crdm.exenip.exe, nmagent.exe, ehttpsrv.exe, nod32.exe, nod32krn.exe, nod32kui.exe,\r\nnod32view.exe, cclaw.exe, elogsvc.exe, nipsvc.exe, njeeves.exe, npfmsg2.exe, npfmsg.exe, npfsvice.exe, nrmenctb.exe,\r\nnvcoas.exe, nvcsched.exe, nymse.exezlh.exezanda.exe, ixaptsvc.exe, ixavsvc.exe, ixfwsvc.exe, emlproui.exe, emlproxy.exe,\r\nmpsvc.exeaps.exeonlinent.exe, onlnsvc.exe, scanmsg.exe, scanwscs.exe, tsansrf.exe, tsatisy.exe, tscutynt.exe, tsmpnt.exe,\r\nupschd.exe, xfilter.exe, aus.exeiface.exeoutpost.exe, adminserver.exe, avtask.exe, clshield.exe, console.exe, cpntsrv.exe,\r\npadfsvr.exe, pasystemtray.exepavfnsvr.exe, pavkre.exe, pavprot.exe, pavreport.exe, pnmsrv.exe, psimsvc.exe, pavupg.exe,\r\nremupd.exe, pavfires.exe, pavmail.exe, pavprsrv.exe, pavsched.exe, pavsrv50.exe, pavsrv51.exe, pavsrv52.exe, prevsrv.exe,\r\ntpsrv.exe, pagent.exe, pagentwd.exe, psctris.exe, apvxdwin.exe, inicio.exe, pavbckpt.exe, pavjobs.exe, psctrls.exe,\r\npshost.exe, psimreal.exe, pskmssvc.exe, srvload.exe, webproxy.exe, avltmain.exe, firewallgui.exe, pviewer.exe, pview.exe,\r\npmon.exefws.exe, qoeloader.exe, ccenter.exe, ravxp.exeras.exerfwproxy.exe, rfwstub.exe, knownsvr.exe, rasupd.exe,\r\nupfile.exe, rstray.exe, ravalert.exe, rav.exesnsrv.exeravmond.exe, ravmon.exe, ravservice.exe, ravstub.exe, ravtask.exe,\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 24 of 27\n\nravtray.exe, ravupdate.exe, rnreport.exe, rsnetsvr.exe, scanfrm.exe, rfwmain.exe, rfwsrv.exe, winlog.exe, snhwsrv.exe,\r\nsnicheckadm.exe, snichecksrv.exe, snicon.exe, smsx.exelmon.exesvcharge.exe, svdealer.exe, svframe.exe, svtray.exe,\r\nsschk.exe, trjscan.exe, trupd.exe, dltray.exe, dlservice.exe, almon.exe, savservice.exe, sweepsrv.sys, swnetsup.exe, alsvc.exe,\r\nalupdate.exe, savmain.exe, sav32cli.exe, mgntsvc.exe, routernt.exe, schdsrvc.exe, scfmanager.exe, scfservice.exe,\r\nscftray.exe, op_viewer.exe, sgbhp.exe, pctsauxs.exe, pctsgui.exe, pctssvc.exe, pctstray.exe, regmech.exe, sdtrayapp.exe,\r\nsvcntaux.exe, swdsvc.exe, swnxt.exe, execstat.exe, seestat.exe, swserver.exe, slee81.exe, kpf4gui.exe, kpf4ss.exe,\r\nwrspysetup.exe, acctmgr.exe, alertsvc.exe, alunotify.exe, appsvc32.exe, ccap.execka.exe, ccapp.exe, ccevtmgr.exe,\r\nccproxy.exe, ccpxysvc.exe, ccsetmgr.exe, checkup.exe, comhost.exe, cpdclnt.exe, csinject.exe, csinsm32.exe, csinsmnt.exe,\r\ndbserv.exe, defwatch.exe, defwatchrnav.exediskmon.exe, djsnetcn.exe, doscan.exe, dwhwizrd.exe, fwcfg.exe, ghost_2.exe,\r\nghosttray.exe, icepack.exe, idsinst.exe, ispwdsvc.exe, issvc.exe, isuac.exe, luall.exe, lucoms.exe, mcui32.exe, navapsvc.exe,\r\nnavapw32.exe, navectrl.exe, navelog.exe, navesp.exe, navshcom.exe, navw32.exe, navwnt.exe, ndetect.exe, ngctw32.exe,\r\nngserver.exe, nisoptui.exe, nisserv.exe, nisum.exe, nmain.exe, npfmntor.exe, nprotect.exe, npscheck.exe, npssvc.exe,\r\nnscsrvce.exe, nsctop.exe, nsmdtr.exe, olfsnt40.exe, opscan.exe, poproxy.exe, pqibrowser.exe, pqv2isvc.exe, pxeservice.exe,\r\nqdcsfs.exe, qserver.exe, reportersvc.exe, savfmsesp.exe, savroam.exe, savscan.exe, savui.exe, scansbserv.exe, explicit.exe,\r\nsemsvc.exe, sesclu.exe, sevinst.exe, smsectrl.exe, smselog.exe, smsesjm.exe, smsesp.exe, smsesrv.exe, smsetask.exe,\r\nsmseui.exe, sms.exevpc32.exesndmon.exe, sndsrvc.exe, spbbcsvc.exe, symlcsvc.exe, symproxysvc.exe, symsport.exe,\r\nsymtray.exe, symwsc.exe, sysdoc32.exe, ucservice.exe, updtnv28.exe, urllstck.exe, usrprmpt.exe, v2iconsole.exe,\r\nvpdn_lu.exe, vprosvc.exe, wfxctl32.exe, wfxmod32.exe, wfxsnt40.exe, lucomserver.exe, savfmselog.exe, savfmsesjm.exe,\r\nsavfmsectrl.exe, savfmsesrv.exe, savfmsetask.exe, savfmseui.exe, snac.exessm.exe, reportsvc.exe, vptray.exe, procexp.exe,\r\ntdimon.exe, tfun.exetmas.exetfgui.exe, tfservice.exe, tftray.exe, traflnsp.exe, asupport.exe, isntsmtp.exe, nsmdemf.exe,\r\nnsmdmon.exe, nsmdreal.exe, nsmdsch.exe, ofcdog.exe, pccnt.exe, pccntupd.exe, pcctlcom.exe, pcscnsrv.exe, schupd.exe,\r\ntmntsrv.exe, tmpfw.exe, tmproxy.exe, entitymain.exe, aphost.exe, lwdmserver.exe, mrf.exedwwin.exeisntsysmonitor,\r\nfcpfwsvc.exe, patch.exevrv.exepccclient.exe, pccguide.exe, pcclient.exe, pccpfw.exe, pcscan.exe, pntiomon.exe,\r\npop3pack.exe, pop3trap.exe, webtrapnt.exe, euqmonitor.exe, smex_activeupda, smex_master.exe, smex_remoteconf,\r\nsmex_systemwatc, svcgenerichost, spntsvc.exe, stopp.exe, stwatchdog.exe, usbguard.exe, uploadrecord.exesbamsvc.exe,\r\nvrvmail.exe, vrvmon.exe, vrvnet.exe, wrsa.exexagt.exenetworkagent.exempcmdrun.exe, msascui.exe, msmpeng.exe,\r\nmspmspsv.exe, kb891711.exe, zavaux.exe, zavcore.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe,\r\nwordpad.exe, xfssvccon.exe, tmlisten.exe, pccntmon.exe, cntaosmgr.exe, ntrtscan.exe, mbamtray.exe, qhwatchdog.exe,\r\nqhsafetray.exe, avgsvc.exe, avgui.exe, v3lite.exe, v3main.exe, avastui.exe, avastsvc.exe, avguard.exe, avshadow.exe,\r\navgnt.exe, bdagent.exe, bdredline.exe, bdss.execis.exe, bullguard.exe, cmdagent.exe, cistray.exe, spideragent.exe,\r\ndwengine.exe, dwarkdaemon.exe, dwnetfilter.exe, a2service.exe, egui.exeekrn.exefshoster32.exe, fshoster64.exe,\r\nfortiesnac.exe, fortiwf.exe, fortitray.exe, fchelper64.exe, fortiproxy.exe, fcappdb.exe, fcdblog.exe,\r\navp.exeavpui.exembamservice.exe, mcsacore.exe, mcapexe.exe, mcshield.exe, mcsvhost.exe, psuaservice.exe,\r\npsuamain.exe, psanhost.exe, sdrservice.exe, swc_service.exe, swi_service.exe, ssp.exeacaas.execcsvchst.exe, smcgui.exe,\r\nuiwatchdog.exe, uiseagnt.exe, paamsrv.exe, psh_svc.exe, aupdrun.exe, acaegmgr.exe, acaif.exe, acais.exe, ahnsd.exe,\r\nahnsdsv.exe, autoup.exe, v3clnsrv.exe, v3medic.exe, v3svc.exe, aflogvw.exe, ahnrpt.exe, atwsctsk.exe, v3exec.exe,\r\nv3imscn.exe, monsvcnt.exe, monsysnt.exe, aexnsrcvsvc.exe, aexsvc.exe, atrshost.exe, ctdataload.exe, aexnsagent.exe,\r\naclntusr.exe, aexswdusr.exe, pxemtftp.exe, aclient.exe, starta.exe, stopa.exe, anvir.exe, csrss_tc.exe, ashavast.exe,\r\nashbug.exe, ashchest.exe, ashcmd.exe, ashdisp.exe, ashenhcd.exe, ashlogv.exe, ashmaisv.exe, ashpopwz.exe, ashquick.exe,\r\nashserv.exe, ashsimp2.exe, ashsimpl.exe, ashskpcc.exe, ashskpck.exe, ashupd.exe, ashwebsv.exe, aswdisp.exe,\r\naswregsvr.exe, aswserv.exe, aswupdsv.exe, aswwebsv.exe, avengine.exe, afwserv.exe, unsecapp.exe, avgamsvr.exe,\r\navgas.exe, avgcc32.exe, avgcc.exe, avgctrl.exe, avgdiag.exe, avgemc.exe, avgfws8.exe, avgfwsrv.exe, avginet.exe,\r\navgmsvr.exe, avgrssvc.exe, avgscanx.exe, avgserv9.exe, avgserv.exe, avgupd.exe, avgupdln.exe, avgupsvc.exe, avgvv.exe,\r\navgwb.dat, avgw.exebmrt.exeavgwizfw.exe, guard.exe, avgcsrvx.exe, avgidsagent.exe, avgidsui.exe, avgam.exe,\r\navgnsx.exe, avgfws9.exe, avgrsx.exe, avgtray.exe, avgwdsvc.exe, sidebar.exe, avgchsvx.exe, avgcmgr.exe, avgemcx.exe,\r\navgfws.exe, avgmfapx.exe, avgcefrend.exe, avgcsrva.exe, avgemca.exe, avgnsa.exe, avgrsa.exe, avgregcl.exe, avgsystx.exe,\r\nvprot.exe, avcenter.exe, avconfig.exe, avesvc.exe, avmailc.exe, avmcdlg.exe, avnotify.exe, avscan.exe, guardgui.exe,\r\navadmin.exe, avfwsvc.exe, avwebgrd.exe, fwinst.exe, bavtray.exe, bhipssvc.exe, seccenter.exe, gziface.exe, gzserv.exe,\r\nbdc.exebka.exe, bdlite.exe, bdmcon.exe, bdsubmit.exe, deloeminfs.exe, livesrv.exe, setloadorder.exevsserv.exe,\r\nxcommsvr.exe, blupro.exe, blackd.exe, blackice.exe, proutil.exe, rapapp.exe, basfipm.exe, isafe.exe, cavrid.exe, vetmsg.exe,\r\namswmagtcaf.exe, capmuamagt.exe, ccnfagent.exe, ccsmagtd.exe, cfftplugin.exe, cfnotsrvd.exe, cfsmsmd.exe, alert.exe,\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 25 of 27\n\nigateway.exe, inotask.exe, caavcmdscan.exe, caav.execafw.execaavguiscan.exe, calogdump.exe, capfaem.exe, capfsem.exe,\r\ncaunst.exe, cavrep.exe, cctray.exe, ccupdate.exe, isafinst.exe, itmrtsvc.exe, itmrt_trace.exe, ppclean.exe, umxagent.exe,\r\numxcfg.exe, umxfwhlp.exe, umxpol.exe, unvet32.exe, capfasem.exe, ccprovsp.exe, ppctlpriv.exe, casc.exepep.exe,\r\ninonmsrv.exe, inoweb.exe, auth8021x.exe, krbcc32s.exe, realmon.exe, repmgr64.exe, csacontrol.exe, leventmgr.exe,\r\nokclient.exe, clamscan.exe, clamtray.exe, clamwin.exe, ccemflsv.exe, cssauth.exe, cavscan.exe, clps.execfp.exe, clpsla.exe,\r\nclpsls.exe, cmdinstall.exe, cfpconfig.exe, cfplogvw.exe, cfpsbmit.exe, cfpupdat.exe, crashrep.exe,\r\ncpf.exeamsvc.execfpconfg.exe, cylanceui.exe, cylancesvc.exe, cramtray.exe, crssvc.exe, frzstate2k.exe, drwagnui.exe,\r\ndrweb32.exe, drweb32w.exe, drweb386.exe, drwebcgp.exe, drwebdc.exe, drweb.exeera.exedrwebmng.exe, drwebscd.exe,\r\ndrwebupw.exe, drwebwcl.exe, drwebwin.exe, drwinst.exe, spiderml.exe, spidernt.exe, spiderui.exe, drwagntd.exe,\r\ndrwupgrade.exe, drwebcom.exe, eeyeevnt.exe, retinaengine.exea2guard.exe, a2start.exe, usergate.exe, esmagent.exe,\r\nvettray.exe, cavtray.exe, inorpc.exe, inort.exe, ca.execaissdt.exe, etagent.exe, etrssfeeds.exe, evtarmgr.exe, evtmgr.exe,\r\netreporter.exe, etconsole3.exe, useranalysis.exeetcorrel.exe, etscheduler.exe, useractivity.exeewidoctrl.exe, ewidoguard.exe,\r\nfmon.exefsaa.exefortifw.exe, update_task.exe, fpavserver.exe, fprottray.exe, fameh32.exe, fspex.exe,\r\nbwgo0000fspc.exefch32.exe, fih32.exe, fsaua.exe, fsav32.exe, fscuif.exe, fsdfwd.exe, fsgk32.exe, fsgk32st.exe, fsguidll.exe,\r\nfsguiexe.exe, fshdll32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, fsorsp.exe, fsqh.exekvxp.kxpfssm32.exe,\r\nsetupguimngr.exetnbutil.exe, fsavgui.exe, gdscan.exe, avkproxy.exe, avkservice.exe, avktray.exe, avkwctl.exe, gdfwsvc.exe,\r\nesecservice.exe, rcsvcmon.exe, dolphincharge.e, loggetor.exe, printdevice.exe, pwdfilthelp.exe, pthosttr.exe, hpqwmiex.exe,\r\nntcaagent.exe, ntcadaemon.exe, ntcaservice.exe, rapuisvc.exe, vpatch.exe, tclproc.exe, isscsf.exe, issdaemon.exe,\r\nkvdetech.exe, kvmonxp_2.kxp, kvmonxp.kxp, kvolself.exe, kvsrvxp_1.exe, kvsrvxp.exe, ppppwallrun.exe, avpcc.exe,\r\navpexec.exe, avpm.exeavps.exeavpncc.exe, avpupd.exe, kav.exekavmm.exekavisarv.exe, kavss.exekis.exekavsvc.exe,\r\nklnagent.exe, klswd.execpd.exeklwtblfs.exe, kwsprod.exe, up2date.exe, klserver.exe, oespamtest.exe, kavfsgt.exe,\r\nkavfsrcn.exe, kavfs.exe, kavfswp.exe, kavshell.exe, klnacserver.exe, avpdtagt.exe, netcfg.exe, kavfsscs.exe, kavtray.exe,\r\npersfw.exe, avserver.exe, winroute.exe, wrctrl.exe, kabackreport.exekaccore.exe, kanmcmain.exe, kastray.exe, kislive.exe,\r\nkmailmon.exe, knupdatemain.exekswebshield.exe, kxeserv.exe, uplive.exe, kansgui.exe, kansvr.exe, kavstart.exe,\r\nkpfwsvc.exe, kwatch.exe, kav32.exe, kissvc.exe, kpfw32.exe, system.exe, wssfcmai.exe, aawservice.exe,\r\nengineserver.exeeventparser.exe, log_qtine.exe, mfeann.exe, nailgpip.exe, rpcserv.exe, srvmon.exe, mcagent.exe,\r\nmfemactl.exe, macmnsvc.exe, masvc.exe, masalert.exe, msssrv.exe, massrv.exe, msscli.exe, mcshld9x.exe, mgavrtcl.exe,\r\nmcappins.exe, mfecanary.exe, macompatsvc.exe, mcvsrte.exe, mfefire.exe, dao_log.exe, firesvc.exe, firetray.exe,\r\nmfeesp.exe, naprdmgr.exe, mfefw.exemps.exeframeworkservic, cmgrdian.exe, mcshell.exe, mfehcs.exe, mcinfo.exe,\r\nhwapi.exe, mcmscsvc.exe, mcnasvc.exe, mcods.exe, mcpromgr.exe, mcproxy.exe, mcuimgr.exe, mpfsrv.exe, mpsevh.exe,\r\nmsksrver.exe, redirsvc.exe, saservice.exe, siteadv.exe, mfemms.exe, neotrace.exe, vshwin32.exe, mpfagent.exe,\r\nmpfconsole.exe, mpf.exemfetp.exempfservice.exe, mpftray.exe, mscifapp.exe, mfevtps.exe, qclean.exe, mcregwiz.exe,\r\nrssensor.exe, safeservice.exe, ncdaemon.exe, mcdash.exe, mcdetect.exe, ssscheduler.exe, sahookmain.exe, mskdetct.exe,\r\nmsksrvr.exe, mskagent.exe, stinger.exe, mcsysmon.exe, mctskshd.exe, myagttry.exe, mcupdmgr.exe, rulaunch.exe,\r\nmcvsshld.exe, tbmon.exe, alogserv.exe, mcmnhdlr.exe, mghtml.exe, edisk.exe, scan32.exe, mcconsol.exe, mctray.exe,\r\nmcupdate.exe, shstat.exe, udaterui.exe, updaterui.exe, mcepoc.exe, mcepocfg.exe, mcpalmcfg.exe, mcwcecfg.exe,\r\nmcwce.exe, vsmain.exe, oasclnt.exe, vsstat.exe, mcvsftsn.exe, avconsol.exe, kavlotsingleton.exe, mcafeedatabackup.exe,\r\nframeworkservice.exe, mcscript_inuse.exe, frameworkservic.exe, giantantispywaremain.exe, giantantispywareupdater.exe,\r\ngcasservalert.exe, gcasinstallhelper.exe, gcasswupdater.exe, securitymanager.exe, aesecurityservice.exe, seanalyzertool.exe,\r\nspyemergencysrv.exe, omslogmanager.exe, ssecuritymanager.exe, savadminservice.exe, emlibupdateagentnt.exe,\r\nmanagementagentnt.exe, aluschedulersvc.exe, lucallbackproxy.exe, savfmsespamstatsmanager.exe, scanmailoutlook.exe,\r\nsmoutlookpack.exe, websensecontrolservice.exe\r\nAppendix C – Targeted Extensions for Both EKANS Variants\r\n.docx, .accdb, .accde, .accdr, .accdt, .asp, .aspx, .back, .backup, .backupdb, .bak, .mdb, .mdc, .mdf, .war, .xls, .xlsx, .xlsm,\r\n.xlr, .zip, .rar, .sqlitedb, .sql, .py, .ppam, .pps, .ppsm, .ppsx, .ppt, pptm, .pptx, .hpp, .java, .jsp, .php, .doc, .docm, .pst, .psd,\r\n.dot, dotm, .cpp, .cs, .csv, .bkp, .db, .db-journal, .csproj, .sln, .md, .pl, .js, .html, .htm, .dbf, .rdo, .arc, .vhd, .vmdk, .vdi,\r\n.vhdx, .edb, .c, .h\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 26 of 27\n\nFortiGuard Labs has shared the findings of this research analysis with fellow Cyber Threat Alliance members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber\r\nactors. For more information on the Cyber Threat Alliance, visit cyberthreatalliance.org.\r\nLearn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems\r\nPage 27 of 27",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems"
	],
	"report_names": [
		"ekans-ransomware-targeting-ot-ics-systems"
	],
	"threat_actors": [],
	"ts_created_at": 1775434760,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6ec94ca287c9d2338b6d57ea509e2629ac55d7f.pdf",
		"text": "https://archive.orkl.eu/d6ec94ca287c9d2338b6d57ea509e2629ac55d7f.txt",
		"img": "https://archive.orkl.eu/d6ec94ca287c9d2338b6d57ea509e2629ac55d7f.jpg"
	}
}