S0605: EKANS
EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.[1][2]
Analyst context for executives and security teams
EKANS matters because it is ransomware with documented attention to operational environments: MITRE notes a hard-coded process kill-list that included common ICS software and use against sectors such as energy, healthcare, and automotive manufacturing. For leaders, the practical issue is not just file encryption; it is whether ransomware can stop services and processes that keep production, clinical, or industrial operations running.
Executive priority
Treat EKANS as a resilience and operational-continuity planning case. Priority questions are: which Windows systems support critical operations, which ICS/HMI or engineering processes would cause downtime if stopped, whether recovery paths can survive ransomware actions, and whether SOC/IR teams can prove visibility into service stopping, WMI execution, process discovery, and encryption behavior. This is also relevant to audit evidence for backup recoverability, segmentation between IT and OT, and incident decision-making during operational disruption.
Technical view
MITRE provides no official detection text, so defenders should validate coverage from the relationships: WMI execution, process and network configuration discovery, masquerading or legitimate-looking file names, obfuscated files, service stop, recovery inhibition, security tool impairment, and data encryption for impact. Because EKANS is listed for Windows and has ICS-related process-kill context, detection engineering should test visibility on Windows endpoints that support operations, including HMI/engineering workstations where applicable, without assuming enterprise EDR alone covers OT-adjacent blind spots.
Likely telemetry
- Windows process creation and command-line logging
- WMI execution and remote/local management activity
- Service start/stop and process termination events
- File creation, rename, modification, and high-volume encryption-like activity
- Events showing deletion or disabling of recovery mechanisms such as backup or system recovery features
Detection direction
- Tune for combinations of discovery followed by service/process termination and rapid file modification rather than relying on a single ransomware indicator.
- Review legitimate administration noise around WMI, service control, and process management to reduce false positives while preserving alerts for unusual timing, scope, or target systems.
- Pay special attention to Windows hosts connected to operational workflows, because stopping ICS-related software may create business impact before encryption is fully observed.
- Validate whether security-tool impairment and recovery-inhibition events still reach the SOC if local agents or services are stopped.
- Account for masquerading and obfuscation by correlating file name/location trust with signer, parent process, execution path, and behavioral context.
Mitigation priorities
- Prioritize tested, offline or otherwise ransomware-resilient backups and recovery procedures for critical Windows and operational support systems.
- Harden and monitor service-control and WMI administration paths, limiting use to authorized operators and management systems where feasible.
- Segment and tightly govern connectivity between business IT and OT/ICS-supporting Windows systems to reduce the chance that IT ransomware disrupts control operations.
- Maintain an inventory of critical services and ICS/HMI/engineering processes so incident responders know which service stops are operationally significant.
- Ensure security tooling and logging pipelines have tamper monitoring and alternate evidence sources for high-impact hosts.
Analyst notes and limits
The most decision-relevant detail in the supplied object is EKANS’ combination of ransomware impact with a hard-coded process kill-list that included common ICS software platforms. The relationship set supports a defensive focus on impact behaviors, discovery, masquerading, WMI execution, service stopping, recovery inhibition, and tool impairment.
MITRE does not provide official detection guidance for this object, and the supplied fields do not establish current activity, attribution, customer exposure, or guaranteed detection logic. Local validation is required to determine which Windows systems, ICS applications, recovery controls, and telemetry sources are actually in scope.
EKANS
EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | EKANS looks for processes from a hard-coded list.CitationDragos EKANSCitationFireEye Ransomware Feb 2020CitationIBM Ransomware Trends September 2020 |
| Enterprise | T1486 | Data Encrypted for Impact | EKANS uses standard encryption library functions to encrypt files.CitationDragos EKANSCitationPalo Alto Unit 42 EKANS |
| Enterprise | T1490 | Inhibit System Recovery | EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.CitationDragos EKANSCitationPalo Alto Unit 42 EKANS |
| Enterprise | T1047 | Windows Management Instrumentation | EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations.CitationDragos EKANS |
| Enterprise | T1016 | System Network Configuration Discovery | EKANS can determine the domain of a compromised host.CitationIBM Ransomware Trends September 2020 |
| Enterprise | T1489 | Service Stop | EKANS stops database, data backup solution, antivirus, and ICS-related processes.CitationDragos EKANSCitationFireEye Ransomware Feb 2020CitationPalo Alto Unit 42 EKANS |
| Enterprise | T1027 | Obfuscated Files or Information | EKANS uses encoded strings in its process kill list.CitationFireEye Ransomware Feb 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | EKANS has been disguised as |
| Enterprise | T1685 | Disable or Modify Tools | EKANS stops processes related to security and management software.CitationDragos EKANSCitationFireEye Ransomware Feb 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | d318fe2820f0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dragos EKANS
Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
Open source URL -
[2]
Palo Alto Unit 42 EKANS
Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.
Open source URL -
[3]
EKANS
(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)(Citation: FireEye Ransomware Feb 2020)
-
[4]
FireEye Ransomware Feb 2020
Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.
Open source URL -
[5]
SNAKEHOSE
(Citation: FireEye Ransomware Feb 2020)
-
[6]
mitre-attack S0605Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.