{"id":33158,"date":"2020-02-12T02:54:00","date_gmt":"2020-02-12T07:54:00","guid":{"rendered":"http:\/\/blog.cybercon1.com\/?p=33158"},"modified":"2020-02-12T02:54:00","modified_gmt":"2020-02-12T07:54:00","slug":"new-ransomware-doesnt-just-encrypt-data-it-also-meddles-with-critical-infrastructure","status":"publish","type":"post","link":"https:\/\/blog.cyberconservices.com\/index.php\/2020\/02\/12\/new-ransomware-doesnt-just-encrypt-data-it-also-meddles-with-critical-infrastructure\/","title":{"rendered":"New ransomware doesn&#39;t just encrypt data. It also meddles with critical infrastructure"},"content":{"rendered":"\n<p>By <a href=\"https:\/\/arstechnica.com\/author\/dan-goodin\/\">DAN GOODIN<\/a> &#8211; Over the past five years, <strong>ransomware <\/strong>has emerged as a vexing menace that has shut down\u00a0<a href=\"https:\/\/arstechnica.com\/information-technology\/2019\/03\/severe-ransomware-attack-cripples-big-aluminum-producer\/\">factories<\/a>,\u00a0<a href=\"https:\/\/arstechnica.com\/information-technology\/2019\/10\/hamstrung-by-ransomware-10-hospitals-are-turning-away-some-patients\/\">hospitals<\/a>, and\u00a0<a href=\"https:\/\/arstechnica.com\/information-technology\/2019\/08\/rash-of-ransomware-continues-with-13-new-victims-most-of-them-schools\/\">local municipalities and school districts<\/a>\u00a0around the world. In recent months, researchers have caught <strong>ransomware<\/strong> doing something that&#8217;s potentially more sinister: intentionally tampering with industrial control systems that dams, electric grids, and gas refineries rely on to keep equipment running safely.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignleft size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.cyberconservices.com\/wp-content\/uploads\/2020\/02\/computer-2930704__340.jpg\" alt=\"\" class=\"wp-image-33159\" width=\"245\" height=\"137\"\/><\/figure><\/div>\n\n\n\n<p>A<strong> ransomware<\/strong> strain discovered last month and dubbed Ekans contains the usual routines for disabling data backups and mass-encrypting files on infected systems. But researchers at security firm Dragos found something else that has the potential to be more disruptive: code that actively seeks out and forcibly stops applications used in industrial control systems, which is usually abbreviated as ICS. Before starting file-encryption operations, the <strong>ransomware <\/strong>kills processes listed by process name in a hard-coded list within the encoded strings of the malware.<\/p>\n\n\n\n<p>In all, Ekans kills 64 processes, including those spawned by human-machine interfaces from Honeywell, the\u00a0<a href=\"https:\/\/www.ge.com\/digital\/applications\/proficy-historian\">Proficy Historian<\/a>\u00a0from General Electric, and licensing servers from GE Fanuc. The same 64 processes, it turns out, are targeted in a version of the\u00a0<a href=\"https:\/\/www.pcrisk.com\/removal-guides\/14954-megacortex-ransomware\">MegaCortex <strong>ransomware<\/strong><\/a>. That version first came to light in August.  <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.google.com\/url?rct=j&amp;sa=t&amp;url=https:\/\/arstechnica.com\/information-technology\/2020\/02\/new-ransomware-intentionally-meddles-with-critical-infrastructure\/&amp;ct=ga&amp;cd=CAEYACoTNDAxNTgwNTYyMDQ0MDM2MTI1MzIaZjk1ZDdkNTc3NTkyZGUyMTpjb206ZW46VVM&amp;usg=AFQjCNFWfbrJ0m-AuCfA9yC-Ou-mDa9kIQ\" target=\"_blank\">Read On:<\/a><\/p>\n\n\n\n<iframe style=\"width:120px;height:240px;\" align=\"right\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" frameborder=\"0\" src=\"\/\/ws-na.amazon-adsystem.com\/widgets\/q?ServiceVersion=20070822&#038;OneJS=1&#038;Operation=GetAdHtml&#038;MarketPlace=US&#038;source=ss&#038;ref=as_ss_li_til&#038;ad_type=product_link&#038;tracking_id=cyberconservi-20&#038;language=en_US&#038;marketplace=amazon&#038;region=US&#038;placement=B07CT1T7HH&#038;asins=B07CT1T7HH&#038;linkId=bbde3db1631fdb82bf032228dba9cf17&#038;show_border=true&#038;link_opens_in_new_window=true\"><\/iframe>\n","protected":false},"excerpt":{"rendered":"<p>By DAN GOODIN &#8211; Over the past five years, ransomware has emerged as a vexing menace that has shut down\u00a0factories,\u00a0hospitals, and\u00a0local municipalities and school districts\u00a0around the world. In recent months, researchers have caught ransomware doing something that&#8217;s potentially more sinister: <span class=\"excerpt-dots\">&hellip;<\/span> <a class=\"more-link\" href=\"https:\/\/blog.cyberconservices.com\/index.php\/2020\/02\/12\/new-ransomware-doesnt-just-encrypt-data-it-also-meddles-with-critical-infrastructure\/\"><span class=\"more-msg\">Continue reading &rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[636],"tags":[637],"class_list":["post-33158","post","type-post","status-publish","format-standard","hentry","category-ransomware","tag-ransomware"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/posts\/33158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/comments?post=33158"}],"version-history":[{"count":0,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/posts\/33158\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/media?parent=33158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/categories?post=33158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/tags?post=33158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}