Days before WannaCry came into the spotlight, there were already some other ransomware and malware taking advantage of the SMB exploit (published under the codename ETERNALBLUE/DOUBLEPULSAR) following shadow brokers dump (NSA exploit targeting windows file sharing protocol). So far, WannaCry ransomware has infected more than 150 countries causing widespread panic. Although WannaCry distribution may have been stopped, the widespread of ransomware and similar malware distribution has not stopped yet.
UIWIX is an entirely new variant and has also been spotted in the wild. Like WannaCry, this ransomware program is also built under ETERNABLUE. It has ability to infect machines without writing files to permanent storage and hence, making it extremely harder to detect through conventional forensics. This ransomware renames files with ‘.uiwix’ extension and drops a text file called ’_DECODE_FILES.txt’ which contains requirements for decryption and payment address and mode of payment. Uiwix however poses an even bigger threat than WannaCry ransomware since it does not include any kill switch domains.
Another program using the same SMB vulnerability to exploit the system using EternalBlue and DoublePulsar is Adylkuzz. Adylkuzz exploits the SMB vulnerability to mine an obscure cryptocurrency called Monero.
Basically, Monero is a cryptocurrency similar to the Bitcoin but with enhanced anonymity capabilities. A major of underground website known to sell drugs, stolen credit cards and counterfeit items make use of monero. However, unlike WannaCry, Adylkuzz does not have the ability to self-propagate.
It has been found that Adylkuzz started exploiting the same vulnerability somewhere between 24th April and 2nd May i.e. weeks before WannaCry came into the scene. It infects the system taking an advantage of SMB vulnerability and shuts down SMB networking for further infection of the system with other malwares including WannaCry ransomware worm, detects the public IP address of the system, downloads the mining instructions, cryptominer and other cleaner tools. Therefore, we can easily predict that there are huge number of systems being infected with this very malware than that of WannaCry ransomware worm. Adylkuzz did not caused the same chaos as that of WannaCry since it was not shutting down computers or was not sending some ransom notes, all it did was perform Monero mining operation in the background. Although it is not catastrophic enough to raise an alarm and remained undected and hidden until the WannaCry came into the limelight gaining much more public attention.
Who is behind the current attack?
It has been found that WannaCry’s code shares some portion of the code to the Lazarus APT group who was responsible heavily for the Sony Wiper attack (Sony Pictures Entertainment being hacked using wiper malware), the Bangladesh bank heist ($81 million heist from SWIFT network using Dridex malware) and the DarkSeoul operations (Backdoor Trojan, dubbed as Duuzer, Brambul and Joanap malware targeting south Korean organizations, institutions and industries). Lazarus APT group was found to have conducted multiple attacks worldwide and was found to have a direct link between Bluenoroff and North Korea. So, there could be a possible clue that North Korea could probably be behind the current WannaCry attack. However, it is still too early to determine who exactly is behind this attack since, the repetition of the code could also be a false flag.
It is therefore, highly recommended that you update your systems for MS17-010 and if you do not use SMB then it is also recommended that you disable the SMB version one.
To disable SMB follow the following steps:
- Open Control Panel.
- Click Programs.
- Click Turn Windows features on or off (under the Programs).
- Make sure that your ‘SMB 1.0/CIFS File Sharing Support’ is not ticked.
If you are a PowerShell user make sure that you disable SMB version one by typing the following command with administrator privilege:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Value 0 -Force