{
	"id": "4e07f7cd-a1d4-4f7c-b562-ea457067d753",
	"created_at": "2026-04-06T00:22:21.441794Z",
	"updated_at": "2026-04-10T03:20:54.616064Z",
	"deleted_at": null,
	"sha1_hash": "f7f6e04165c166c5ef7fba66f80d4c8b70f9f895",
	"title": "Threat Assessment: EKANS Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55881,
	"plain_text": "Threat Assessment: EKANS Ransomware\r\nBy Alex Hinchliffe, Doel Santos\r\nPublished: 2020-06-26 · Archived: 2026-04-02 11:26:06 UTC\r\nUnit 42 researchers have observed recent EKANS (Snake backward) ransomware activity affecting multiple\r\nindustries in the U.S and Europe. As a result, we’ve created this threat assessment report for the activities of this\r\nransomware. Identified techniques and campaigns can be visualized using the Unit 42 Playbook Viewer.\r\nEKANS, which was first observed in January 2020, has relatively basic ransomware behavior, as it primarily\r\nseeks to encrypt your files and display a ransom note when finished. Although EKANS is basic in terms of file\r\nencryption, it's worth mentioning that it does have some interesting functionalities that make it distinct from other\r\nransomware strains. EKANS ransomware is written in Golang and includes a static “kill list” that will stop\r\nnumerous antivirus and Industrial Control Systems (ICS) processes and services. After killing the processes, it\r\nthen proceeds to delete shadow copies to disable any restoration capabilities. Like many ransomware malware\r\nfamilies, EKANS attempts to also encrypt resources connected to the victim’s machine via the network.\r\nAfter encrypting files, EKANS doesn’t follow a uniform extension change like other active ransomware. Instead,\r\nEKANS modifies the extension with five random characters. This may be an attempt by the creators of the\r\nransomware to evade instant detection by just looking at the file extensions. One way to identify an EKANS\r\ninfection is by looking for the hexadecimal string of EKANS at the end of the file, which is added by the\r\nransomware.\r\nEKANS’ intrusion vector at the moment seems to be spearphishing, to compromise credentials. Having file-blocking policies in place, and securing any open Remote Desktop Protocol (RDP) ports will help prevent the\r\nmalware from entering the network. We encourage ICS asset owners to review their security posture against\r\nmalware, such as EKANS, that aims to disrupt ICS operations. The EKANS operators have affected different\r\nindustries including energy, architecture firms, healthcare, transportation, and manufacturing.\r\nPalo Alto Networks Threat Prevention platform with WildFire, and Cortex XDR detects activity associated with\r\nthis ransomware. Customers can also review activity associated with this Threat Assessment using AutoFocus\r\nwith the following tag: EKANS.\r\nSeveral adversarial techniques were observed in this activity and the following measures are suggested within\r\nPalo Alto Networks’ products and services to ensure mitigation of threats related with the EKANS ransomware, as\r\nwell as other malware using the similar techniques:\r\nTactic\r\nTechnique\r\n(Mitre ATT\u0026CK ID)\r\nProduct /\r\nService\r\nCourse of Action\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/\r\nPage 1 of 6\n\nInitial Access\r\nSpearphishing\r\nAttachment (T1193)\r\nNGFW Setup File Blocking\r\nThreat\r\nPrevention†\r\nEnsure that antivirus profiles are set to block on\r\nall decoders except 'imap' and 'pop3'\r\nEnsure a secure antivirus profile is applied to\r\nall relevant security policies\r\nWildFire\r\nEnsure that WildFire file size upload limits are\r\nmaximized\r\nEnsure forwarding is enabled for all\r\napplications and file types in WildFire file\r\nblocking profiles\r\nEnsure a WildFire Analysis profile is enabled\r\nfor all security policies\r\nEnsure forwarding of decrypted content to\r\nWildFire is enabled\r\nEnsure all WildFire session information settings\r\nare enabled\r\nEnsure alerts are enabled for malicious files\r\ndetected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to\r\ndownload and install updates every minute\r\nCortex XDR Configure Malware Security Profile\r\nCortex\r\nXSOAR\r\nDeploy XSOAR Playbook - Phishing\r\nInvestigation - Generic V2\r\nDeploy XSOAR - Endpoint Malware\r\nInvestigation\r\nExecution Scheduled Task\r\n(T1053)\r\nCortex XDR\r\nEnable Anti-Exploit\r\nEnable Anti-Malware Protection\r\nUser Execution\r\n(T1204)\r\nNGFW Ensure that User-ID is only enabled for internal\r\ntrusted interfaces\r\nEnsure that 'Include/Exclude Networks' is used\r\nif User-ID is enabled\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/\r\nPage 2 of 6\n\nEnsure that the User-ID Agent has minimal\r\npermissions if User-ID is enabled\r\nEnsure that the User-ID service account does\r\nnot have interactive logon rights\r\nEnsure remote access capabilities for the User-ID service account are forbidden.\r\nEnsure that security policies restrict User-ID\r\nAgent traffic from crossing into untrusted zones\r\nThreat\r\nPrevention†\r\nEnsure that antivirus profiles are set to block on\r\nall decoders except 'imap' and 'pop3'\r\nEnsure a secure antivirus profile is applied to\r\nall relevant security policies\r\nEnsure an anti-spyware profile is configured to\r\nblock on all spyware severity levels, categories,\r\nand threats\r\nEnsure DNS sinkholing is configured on all\r\nanti-spyware profiles in use\r\nEnsure passive DNS monitoring is set to\r\nenabled on all anti-spyware profiles in use\r\nEnsure a secure anti-spyware profile is applied\r\nto all security policies permitting traffic to the\r\nInternet\r\nDNS Security Enable DNS Security in Anti-Spyware profile\r\nURL Filtering\r\nEnsure that PAN-DB URL Filtering is used\r\nEnsure that URL Filtering uses the action of\r\n“block” or “override” on the \u003centerprise\r\napproved value\u003e URL categories\r\nEnsure that access to every URL is logged\r\nEnsure all HTTP Header Logging options are\r\nenabled\r\nEnsure secure URL filtering is enabled for all\r\nsecurity policies allowing traffic to the Internet\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/\r\nPage 3 of 6\n\nWildFire\r\nEnsure that WildFire file size upload limits are\r\nmaximized\r\nEnsure forwarding is enabled for all\r\napplications and file types in WildFire file\r\nblocking profiles\r\nEnsure a WildFire Analysis profile is enabled\r\nfor all security policies\r\nEnsure forwarding of decrypted content to\r\nWildFire is enabled\r\nEnsure all WildFire session information settings\r\nare enabled\r\nEnsure alerts are enabled for malicious files\r\ndetected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to\r\ndownload and install updates every minute\r\nCortex XDR\r\nEnable Anti-Exploit\r\nEnable Anti-Malware Protection\r\nCortex\r\nXSOAR\r\nDeploy XSOAR Playbook - Phishing\r\nInvestigation - Generic V2\r\nDeploy XSOAR Playbook - Cortex XDR -\r\nIsolate Endpoint\r\nDeploy XSOAR - Block Account Generic\r\nPersistence\r\nBootkit (T1067)\r\nCortex XDR Enable Anti-Exploit\r\nEnable Anti-Malware Protection\r\nScheduled Task\r\n(T1053)\r\nEnable Anti-Exploit\r\nEnable Anti-Malware Protection\r\nPrivilege\r\nEscalation\r\nEnable Anti-Exploit\r\nEnable Anti-Malware Protection\r\nCredential\r\nAccess\r\nCredential in Files\r\n(T1080)\r\nEnable Anti-Exploit\r\nEnable Anti-Malware Protection\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/\r\nPage 4 of 6\n\nConfigure Restrictions Security Profile\r\nDiscovery\r\nFile and Directory\r\nDiscovery (T1083)\r\nXDR monitors for behavioral events via BIOCs\r\nalong a causality chain to identify discovery\r\nbehaviors\r\nProcess Discovery\r\n(T1057)\r\nXDR monitors for behavioral events via BIOCs\r\nalong a causality chain to identify discovery\r\nbehaviors\r\nCollection\r\nAutomated Collection\r\n(T1119)\r\nEnable Anti-Exploit\r\nEnable Anti-Malware Protection\r\nData from Local\r\nSystem (T1005)\r\nEnable Anti-Exploit\r\nEnable Anti-Malware Protection\r\nCommand and\r\nControl\r\nCustom Command\r\nand Control (T1094)\r\nNGFW\r\nEnsure application security policies exist when\r\nallowing traffic from an untrusted zone to a\r\nmore trusted zone\r\nEnsure 'Service setting of ANY' in a security\r\npolicy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic\r\nto/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nThreat\r\nPrevention†\r\nEnsure that antivirus profiles are set to block on\r\nall decoders except 'imap' and 'pop3'\r\nEnsure a secure antivirus profile is applied to\r\nall relevant security policies\r\nEnsure an anti-spyware profile is configured to\r\nblock on all spyware severity levels, categories,\r\nand threats\r\nEnsure DNS sinkholing is configured on all\r\nanti-spyware profiles in use\r\nEnsure passive DNS monitoring is set to\r\nenabled on all anti-spyware profiles in use\r\nEnsure a secure anti-spyware profile is applied\r\nto all security policies permitting traffic to the\r\nInternet\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/\r\nPage 5 of 6\n\nDNS Security Enable DNS Security in Anti-Spyware profile\r\nURL Filtering\r\nEnsure that PAN-DB URL Filtering is used\r\nEnsure that URL Filtering uses the action of\r\n“block” or “override” on the \u003centerprise\r\napproved value\u003e URL categories\r\nEnsure that access to every URL is logged\r\nEnsure all HTTP Header Logging options are\r\nenabled\r\nEnsure secure URL filtering is enabled for all\r\nsecurity policies allowing traffic to the Internet\r\nCortex\r\nXSOAR\r\nDeploy XSOAR Playbook - Block IP\r\nDeploy XSOAR Playbook - Block URL\r\nDeploy XSOAR Playbook - Hunting C\u0026C\r\nCommunication Playbook\r\nDeploy XSOAR Playbook - PAN-OS Query\r\nLogs for Indicators\r\nImpact\r\nData Encrypted for\r\nImpact (T1486)\r\nCortex XDR\r\nEnable Anti-Malware Protection\r\nEnable the “Anti-Ransomware” security\r\nmodule in your security profile\r\nCortex\r\nXSOAR\r\nDeploy XSOAR Playbook - Ransomware\r\nManual for incident response.\r\nTable 1. Courses of Action for EKANS ransomware\r\n†These capabilities are part of the NGFW security subscriptions service\r\nSource: https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/"
	],
	"report_names": [
		"threat-assessment-ekans-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434941,
	"ts_updated_at": 1775791254,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7f6e04165c166c5ef7fba66f80d4c8b70f9f895.pdf",
		"text": "https://archive.orkl.eu/f7f6e04165c166c5ef7fba66f80d4c8b70f9f895.txt",
		"img": "https://archive.orkl.eu/f7f6e04165c166c5ef7fba66f80d4c8b70f9f895.jpg"
	}
}