Car maker Honda has actually been struck by a cyber attack, according to a report released by the BBC, and later on validated by the business in a tweet . Another comparable attack, likewise divulged on Twitter , struck Edesur S.A., among the business coming from Enel Argentina which runs in business of energy circulation in the City of Buenos Aires.

Based on samples published online, these events might be connected to the EKANS/SNAKE ransomware household. In this article, we evaluate what is learnt about this ransomware pressure and what we have actually had the ability to evaluate up until now.

.Targeted ransomware with a taste for ICS.

First public points out of EKANS ransomware go back to January 2020, with security scientist Vitali Kremez sharing info about a brand-new targeted ransomware composed in GOLANG.

The group appears to have an unique interest for Industrial Control Systems (ICS), as detailed in this article by security company Dragos.

Figure 1: EKANS ransom note.

On June 8, a scientist shared samples of ransomware that apparently was targeted at Honda and ENEL INT. We discovered a number of artefacts that substantiate this possibility when we began looking at the code.

. Figure 2: Mutex check.

When the malware carries out, it will attempt to fix to a hardcoded hostname (mds.honda.com). If, and just if it does, will the file encryption start. The very same reasoning, with a particular hostname, likewise used to the ransomware presumably connected to Enel.

. Figure 3: Function accountable for carrying out DNS inquiry.

Target: Honda

. Handling internal domain: mds.honda.comRansom e-mail: CarrolBidell@tutanota [] com.

Target: Enel

.Handling internal domain: enelint.globalRansom e-mail: CarrolBidell@tutanota [] com RDP as a possible attack vector.

Both business had some devices with Remote Desktop Protocol (RDP) gain access to openly exposed (recommendation here ). When it comes to targeted ransomware opertaions, rdp attacks are one of the primary entry points.

.RDP Exposed:/ AGL632956.jpn.mds.honda.comRDP Exposed:/ IT000001429258.enelint.global.

However, we can not state conclusively that this is how hazard stars might have gotten in. Eventually, just a correct internal examination will have the ability to figure out precisely how the assailants had the ability to jeopardize the afflicted networks.

.Detection.

We evaluated the ransomware samples openly offered in our laboratory by producing a phony internal server that would react to the DNS inquiry made by the malware code with the very same IP address it anticipated. We then ran the sample declared to be connected to Honda versus Malwarebytes Nebula , our cloud-based endpoint defense for services.

Figure 4: Malwarebytes Nebula control panel revealing detections. When it tries to carry out, #ppppp> We find this payload as ‘ Ransom.Ekans ’. In order to evaluate another of our security layers, we likewise handicapped( not advised) the malware security to let the habits engine do its thing. Our anti-ransomware innovation had the ability to quarantine the destructive file without making use of any signature.

.

Ransomware gangs have actually revealed no grace, even in this duration of handling a pandemic. They continue to target huge business in order to obtain large amounts of cash.

.

RDP has actually been called out as a few of the most affordable hanging fruit chosen by assailants. We likewise just recently found out about a brand-new SMB vulnerability enabling remote execution. It is very important for protectors to appropriately draw up all possessions, spot them, and never ever permit them to be openly exposed.

. If we come throughout brand-new appropriate info, #ppppp> We will upgrade this blog site post.

. Indicators of Compromise (IOCs).

Honda associated sample:

.d4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1 mds.honda.com.

Enel associated sample:

. edef8b955468236c6323e9019abb10c324c27b4f5667bc3f85f3a097b2e5159aenelint.global.

.

The post Honda and Enel affected by cyber attack thought to be ransomware appeared initially on Malwarebytes Labs .

.

Read more: blog.malwarebytes.com