New ransomware doesn’t just encrypt data. It also meddles with critical infrastructure

Enlarge (credit: An Energy Company / Flickr)

Over the past five years, ransomware has emerged as a vexing menace that has shut down factories, hospitals, and local municipalities and school districts around the world. In recent months, researchers have caught ransomware doing something that's potentially more sinister: intentionally tampering with industrial control systems that dams, electric grids, and gas refineries rely on to keep equipment running safely.

A ransomware strain discovered last month and dubbed Ekans contains the usual routines for disabling data backups and mass-encrypting files on infected systems. But researchers at security firm Dragos found something else that has the potential to be more disruptive: code that actively seeks out and forcibly stops applications used in industrial control systems. Before starting file-encryption operations, the ransomware kills processes listed by process name in a hard-coded list within the encoded strings of the malware.

In all, Ekans kills 64 processes, including those spawned by human-machine interfaces from Honeywell, the Proficy Historian from General Electric, and licensing servers from GE Fanuc. The same 64 processes, it turns out, are targeted in a version of the MegaCortex ransomware. That version first came to light in August.

Read 8 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2SfjcLj