The CyberWire Daily Podcast 2.3.20
Ep 1016 | 2.3.20

More on EKANS, the ransomware with an ICS kicker. Shipping company customer-facing IT disrupted in cyber incident. Coronavirus as phishbait. Election security, new DoD rules, and insider threats.


Dave Bittner: [00:00:00] Hi, everybody. It's Dave. We're happy to announce that our new subscription program CyberWire Pro will be available soon. For everyone who wants to stay on top of developments in cybersecurity, CyberWire Pro is an independent news service that keeps you informed without wasting your time. This new offer includes such valuable content as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much, much more. As always, you can rely on us to separate the signal from the noise. Sign up to be one of the first in the know about CyberWire Pro at That's Check it out. 

Dave Bittner: [00:00:44]  Dragos publicly releases its full report on EKANS ransomware, the first known ransomware with a real, if primitive, capability against industrial control systems. An Australian logistics company struggles with an unspecified malware infestation. Coronavirus fake news is used as phishbait. Election security may get an early test in Iowa. The Department of Defense issues new cybersecurity rules for contractors, and two cases of insider threats or alleged insider threats. 

Dave Bittner: [00:01:21]  And now a word from our sponsor ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at That's, and we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:02:34]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 3, 2020. Industrial cybersecurity company Dragos this morning publicly released its full report on the EKANS ransomware that has recently afflicted industrial control systems. EKANS is referred to as Snake in some sources, EKANS being snake spelled backwards. EKANS was interesting because it was, as Dragos explains, a relatively straightforward ransomware strain. It encrypted files on infected machines and displayed a ransom message. 

Dave Bittner: [00:03:11]  The difference, however, was interesting. Beyond doing these things, EKANS also, quote, "featured additional functionality to forcibly stop a number of processes, including multiple items related to ICS operations," end quote. That is, it included a mechanism that hit processes in a static kill list. It is, as Dragos explains, a relatively primitive attack mechanism, but this is something new with ransomware. EKANS at least intentionally targets industrial systems. The malware has been active, it is believed, since about the middle of December. 

Dave Bittner: [00:03:47]  Dragos, which, as a matter of policy, studiously avoids attribution, in this case does offer some grounds for skepticism of early reports in January from other observers and researchers that linked EKANS with Iran. Dragos finds that linkage tenuous at best and sees few, if any, of the markers that some had believed indicated the hidden hand of Tehran at work. 

Dave Bittner: [00:04:11]  Australia's Toll Group, a logistics company that operates a fleet of seven cargo ships, has shut down some systems while it investigates and recovers from a suspected cyberattack, according to industry publication Splash 247. What kind of attack Toll Group may have sustained is unknown, and the company has said little beyond saying that it's reverted to manual operations in place of some systems it shut down out of caution. The company says it's working with experts to bring its systems back online. 

Dave Bittner: [00:04:41]  It appears, according to Business Insider, that the affected systems are customer-facing business systems, and in particular, those systems customers could use to track shipments. This judgment is based mostly on public customer complaints, and the customers seem to be growing increasingly salty as manual backups appear to have been unequal to the task of providing a minimally acceptable alternative to the automated systems that have been temporarily closed pending remediation. 

Dave Bittner: [00:05:09]  Toll's systems display a message when customers inquire about their stuff. Something went wrong with the connection. We're sorry. The site is taking too long to respond. This should be a short-term issue. Once more is known, perhaps the incident might serve as an object lesson in preparing manual backup and readying a strong corporate communications plan as part of planning for resilience. 

Dave Bittner: [00:05:34]  As usually happens with any news story that achieves widespread circulation and considerable penetration into popular consciousness, the coronavirus epidemic continues to be used as phishbait to spread malware. TechRepublic, citing research by both Kaspersky and IBM's X-Force, reports that emails circulating in Japan and purporting to be from a disability welfare service provider are serving as an infection vector. The inducement to open a malicious Word document attached to the email is the false report that the virus has broken out in three Japanese prefectures. It hasn't, of course, but if you're frightened into opening the attached file, you'll be likely to come down with a case of the Emotet Trojan. 

Dave Bittner: [00:06:17]  The Iowa caucuses represent the first round in the U.S. presidential primaries, and they meet today. As is usually the case, the party that doesn't hold the White House is the interesting one to watch, and, of course, this year, that would be the Democrats. Although, as Politico notes, caucus voting is lower-tech than it will be in other contests, Iowa affords the first look at how 2020's vote will proceed in the face of expected cyber disruption. Watch for reports of influence operations designed to disrupt the caucuses. Watch also for the less likely but still possible attempt by foreign state actors - and we're looking at you, Russia, as usual - to directly manipulate the vote-counting. 

Dave Bittner: [00:06:58]  The state of West Virginia intends to make casting a ballot by smartphone an option for disabled voters this year, NBC News reports. One hopes the gain in accessibility will outweigh the risk of cyberattack and that proper safeguards will be put in place. 

Dave Bittner: [00:07:14]  Mondaq says that the city of Chicago's lawsuit against Marriott over the hotel chain's 2018 data breach has survived a motion to dismiss. The lawsuit is a consumer protection action alleging negligence in securing customer data. 

Dave Bittner: [00:07:30]  The long-anticipated cybersecurity rules the U.S. Defense Department wants the defense industrial base to live by reach their final form at the end of January. CMMC Model version 1.0 will be phased in over the summer of 2020. The Defense Department is open to receiving comments on the rules, as Nextgov reports, but in outline, the new guidelines establish a five-level system that grows more stringent with the sensitivity of the work a company performs. Previously, contractors had been required to attest that they adhere to practices recommended by NIST. The new rules will require certification by paid, accredited third-party assessors. It's expected to take six months to a year to be ready, so if you're the sort to be interested in U.S. federal contractor inside baseball, now would be the time to start getting familiar with CMMC Model version 1.0. 

Dave Bittner: [00:08:25]  Finally, two cases show the varied forms that insider threats can assume. These two cases are interesting in that they involve trusted insiders, and they allege that these insiders knew what they were about. They weren't, in the government's view, instances of well-intentioned error but rather, allegedly, cases in which people had some things to hide and now have some explaining to do. 

Dave Bittner: [00:08:49]  Quartz reports that a Raytheon Missile Systems engineer, Wei Sun, has been arrested for taking a company-issued laptop containing classified information with him on a trip to China. He's being charged with violating federal export control laws. Apparently, Raytheon's security staff found the problem and reported Mr. Sun to the authorities. 

Dave Bittner: [00:09:11]  Charles Lieber, professor and chair of Harvard's chemistry and chemical biology department, has been charged with a single felony count for making false statements to U.S. government agencies. The charge is related to his failure to disclose that he was working for China's Thousand Talents program, receiving $1.5 million from Wuhan University of Technology while he simultaneously received U.S. federal research grants. He faces up to five years in prison, three years of supervised release and a $250,000 fine. The Wall Street Journal observes that it's not illegal to receive foreign grants, but that any such relationships must be disclosed when applying for support from U.S. agencies. A specialist in nanotechnology, professor Lieber had received millions in grants from the U.S. Department of Defense and the National Institutes of Health. 

Dave Bittner: [00:10:08]  And now a word from our sponsor KnowBe4. There's a reason more than half of today's ransomware victims end up paying the ransom. Cybercriminals have become thoughtful, taking time to maximize your organization's potential damage and their payoff. After achieving root access, the bad guys explore your network, reading email, finding data troves. And once they know you, they craft a plan to cause the most panic, pain and operational disruption. Ransomware has gone nuclear, but don't panic. KnowBe4 is hosting an exclusive webinar where you can find out why data backups - even offline backups - won't save you, why ransomware isn't your real problem and how your end users can become your best last line of defense. Go to and learn more about this exclusive webinar. That's, and we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:11:20]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: [00:11:29]  Hi, Dave. 

Dave Bittner: [00:11:30]  I spoke with Ben Yelin over on our "Caveat" podcast about this new bill that is going through the Maryland legislature about ransomware. 

Joe Carrigan: [00:11:41]  Maryland Senate Bill 30. 

Dave Bittner: [00:11:42]  And I wanted to get your take on it because - I don't know - I think I was a little counter to Ben on his reaction to it. And I suspect you and I probably align. But... 

Joe Carrigan: [00:11:53]  Yeah. 

Dave Bittner: [00:11:53]  ...Before we dig in, can you just give us a quick overview? What's Maryland up to here? 

Joe Carrigan: [00:11:58]  What they're doing is they are defining what ransomware is in this law. Then they're making it illegal to, quote, "knowingly possess ransomware with the intent to use the ransomware for the purpose of introduction into the computer." 

Dave Bittner: [00:12:12]  OK. 

Joe Carrigan: [00:12:13]  OK. And then directly above that, the paragraph says, this paragraph does not apply to the use of ransomware for research purposes. 

Dave Bittner: [00:12:19]  And they're making this a misdemeanor with up to 10 years of imprisonment and a fine of up to $10,000. 

Joe Carrigan: [00:12:25]  That's correct. That's the third change that they've made. They've made three changes to this law. One is they define what ransomware is. Two, they make possession of it with the intent to use it a crime. And three, they specify what the penalties are. Maryland law is actually very easy to read... 

Dave Bittner: [00:12:41]  (Laughter) Comparatively. 

Joe Carrigan: [00:12:41]  ...Surprisingly so. 

Dave Bittner: [00:12:42]  Yeah, yeah. OK. (Laughter). 

Joe Carrigan: [00:12:44]  So there's a lot of hype about this law that I've seen in the press recently - in the security press. People should be aware of a few things. Everything that is not related to ransomware in this law is already on the books in Maryland. This bill repeals and replaces that existing law with the new law that includes the ransomware language. 

Dave Bittner: [00:13:06]  So we're just being a little more specific about ransomware. 

Joe Carrigan: [00:13:09]  We're broadening the scope of the law. 

Dave Bittner: [00:13:10]  And I suppose it's fair to say that, as a bit of background, of course Baltimore got pummeled by ransomware recently - or in the past year or so. 

Joe Carrigan: [00:13:19]  Yeah... 

Dave Bittner: [00:13:19]  It cost them over $18 million. 

Joe Carrigan: [00:13:21]  Yes, it was a bad situation. And that was not the first time that had happened. 

Dave Bittner: [00:13:25]  Yeah. 

Joe Carrigan: [00:13:26]  They had also had their 911 system attacked by ransomware. 

Dave Bittner: [00:13:28]  Yeah. 

Joe Carrigan: [00:13:29]  And there was a ransomware incident in Salisbury, I believe. Well... 

Dave Bittner: [00:13:32]  So... 

Joe Carrigan: [00:13:33]  ...I'm going from memory on that. 

Dave Bittner: [00:13:33]  ...When Ben Yelin and I were talking about this, Ben made the point that he thought this was good for deterrence. I was a little more skeptical about that. 

Joe Carrigan: [00:13:41]  Yeah, I am... 

Dave Bittner: [00:13:41]  Where do you come down on this? 

Joe Carrigan: [00:13:42]  ...Very skeptical about that. I don't think this will deter anybody from possessing ransomware. No. 1, Maryland is - you know, how are you going to prosecute, under Maryland law, somebody in a different country? 

Dave Bittner: [00:13:55]  Right. 

Joe Carrigan: [00:13:55]  Are you going to ask them to be extradited to Maryland where you can prosecute them? Also, with the fact that this research exclusion is written very broadly - it says, this paragraph does not apply to the use of ransomware for research purposes. So if I have ransomware - even if I have intent to distribute it - and I get busted because I live in Maryland... 

Dave Bittner: [00:14:18]  Mmm hmm. 

Joe Carrigan: [00:14:19]  ...And I say, hey, I'm just researching it... 

Dave Bittner: [00:14:21]  Yeah (laughter). 

Joe Carrigan: [00:14:22]  And how does that - how does that not... 

Dave Bittner: [00:14:24]  Is that your Get Out of Jail Free card? 

Joe Carrigan: [00:14:25]  Yeah. How does that not a Get Out of Jail Free card? 

Dave Bittner: [00:14:27]  Yeah. I mean, I guess you'd have to convince the judge. 

Joe Carrigan: [00:14:29]  Right. 

Dave Bittner: [00:14:29]  Certainly, the arguments would be made. But you're correct. It is kind of broad. 

Joe Carrigan: [00:14:32]  Yes. 

Dave Bittner: [00:14:33]  Yeah. I mean - and my take on this is that this is a response by our legislators that Baltimore got hit hard. 

Joe Carrigan: [00:14:40]  Right. 

Dave Bittner: [00:14:41]  And it's good for them to make a public display that we take this seriously, we're doing something about this. Look - we're taking action. 

Joe Carrigan: [00:14:49]  Yeah. Yeah. And this really doesn't - in my opinion, this doesn't take very much action at all. It doesn't offer any greater security. It doesn't - it does provide a penalty for something. And maybe Ben's right that that is some kind of disincentive. I don't know how much of a disincentive it is. I don't know how many ransomware attacks originate from Maryland. 

Dave Bittner: [00:15:10]  Right. 

Joe Carrigan: [00:15:10]  I suspect it's very low. There is another bill that's in - that expands the scope of the secretary of IT to include advising and consulting on cybersecurity matters. I think that is a better bill. It does move the state in a more secure direction. 

Dave Bittner: [00:15:29]  Yeah. Well, I suppose it's good that there's recognition at the state level that this - these sorts of things require action. Of course... 

Joe Carrigan: [00:15:36]  I will say that. I will say I'm glad to see that the Maryland legislature is starting to look at cybersecurity as a - as an issue that needs to be addressed. 

Dave Bittner: [00:15:44]  Yeah. I guess an $18 million bill from Baltimore will get your attention (laughter)... 

Joe Carrigan: [00:15:48]  Yeah. 

Dave Bittner: [00:15:49]  ...When it comes to these kinds of things, right? Right (laughter). 

Joe Carrigan: [00:15:51]  I wonder what it cost Salisbury, too. I haven't found any reporting on that yet. 

Dave Bittner: [00:15:54]  Yeah, yeah. All right. Well, interesting development. Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:15:59]  It's my pleasure. 

Dave Bittner: [00:16:05]  And that's the CyberWire. For links to all of today's stories, check out our daily news brief at 

Dave Bittner: [00:16:11]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:16:23]  Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I joined Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. Every week, we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: [00:16:52]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. See you back here tomorrow.