New Entries Into The Ransomware Worm Family Detected That Could Prove More Dangerous Than WannaCry
By Joseph Salazar
Immediately following the WannaCry attack, CISOs started to examine ways they could improve their ransomware defenses (we described the deception solution in our recent blog Deception Derails Ransomware: WannaCry Analyzed by Attivo Labs.)
UIWIX is a ransomware which spreads using flaws in Windows SMBv1 and SMBv2 actively exploited by EternalBlue, the stolen NSA exploit that was made public by the group ShadowBrokers. An SMB worm, EternalBlue exploits SMB vulnerabilities to spread, and uses a 24-hour activation delay to try to frustrate efforts to study it. UIWIX is believed to be even more dangerous than WannaCry. The malware uses AES-256 encryption cipher to corrupt files on the affected computer and appends .UIWIX or ._[victim’s id].uivix file extensions to each of them. Following data encryption, ransomware drops a ransom note called _DECODE_FILES.txt. Here cyber criminals provide a unique victim’s ID and give a link to the payment website. What makes UIWIX so dangerous is that it only executes in memory, not writing anything to disk for analysis, and will not run if it detects any type of Virtual Machine hypervisor, preventing easy analysis.
According to researchers in some ways, it’s a good thing that WannaCry came first, in that it wasn’t as well written. People are now aware of the vulnerabilities being exploited by EternalBlue and are patching it.
Now experts have warned that a new cyber threat called Adylkuzz is currently being deployed that could also be more devastating than the WannaCry attack. Ironically, it was a pre-cursor to Wannacry and actually limited the spread of WannaCry over SMB. The EternalBlue exploit toolkit used in the WannaCry cyberattack was also used to build the money-making botnet. It uses both EternalBlue and DoublePulsar to install its ‘cryptocurrency miner’ that infects computers and servers. It is also difficult to detect and is more profitable for the attacker because it generates cyber-money. It devotes a computer’s processing power towards the upkeep of the mining network in return for a reward. For context: cryptocurrencies — the most famous of which is bitcoin — are decentralized digital currencies that operate without any central bank. Typically, new “coins” are created by “mining”.
This financial incentive means that some people become professional “miners,” building dedicated rigs with specialized hardware that do nothing but mine cryptocurrencies. It also means that hackers sometimes try and hijack people’s computers to mine cryptocurrencies without them realizing — making the attacker a tidy profit at the expense of the victim’s computer’s performance.
And while an individual computer may only generate a few dollars a week, the collective network can generate millions of dollars for the hackers. Unlike ransomware, no demands for money are made of victims and users will only notice their Windows machine is running slowly and that they don’t have access to shared Windows resources.
The attack is currently ongoing and, while less flashy than WannaCry, is nonetheless quite large, affecting hundreds of thousands of PCs and servers worldwide and is potentially quite disruptive.
Until now, it has largely flown under the radar. Symptoms of this attack include loss of access to shared Windows resources and degradation of PC and server performance. Several large organizations reported network issues that were originally attributed to the WannaCry campaign. However, because of the lack of ransom notices, it is now believed that these problems might be associated with Adylkuzz activity.
Yet another strain of ransomware malware, EternalRocks, has been identified this month. It too has been labelled more dangerous than WannaCry and very difficult to detect. According to researchers, “EternalRocks” exploits the same vulnerability in Windows that helped WannaCry spread to computers and it also uses EternalBlue. In fact, it also uses six other NSA tools including EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch, and SMBTouch
In its current form, “EternalRocks” does not have any malicious elements — it does not lock or corrupt files, or use compromised machines to build a botnet — but leaves infected computers vulnerable to remote commands that could ‘weaponize’ the infection at any time. “EternalRocks” is stronger that WannaCry because it does not have any weaknesses, including the kill switch that a researcher used to help contain the ransomware.
Microsoft patched the vulnerabilities in March, but many PCs remain at risk due to users not updating their OS. EternalRocks can also remain a “sleeping Trojan horse” in that it has not alerted victims to a ransomware infection. It can remain hidden, continue downloading from Tor, and sending signals to the worm’s servers, and from there, once the server responds, start downloading and self-replicating. A concern for all is that EternalRocks can be weaponized at any time and what its ultimate attack intent is, is not truly known at this stage.
These new entries are clear indications that the past success of ransomware is going to generate a host of new malware. It is safe to assume that a new outbreak is bound to come in the near future. As a result, CISOs should be even more vigilant in keeping patches current, as difficult as that can prove, and provide continual social engineering awareness throughout their organizations. It is also time to re-evaluate existing security posture when it comes to ransomware and begin to look at new technologies that will provide an additional layer of protection and integrate easily with their legacy systems. The Attivo Deception and Response technology is well suited to fill the gap. It delays Ransomware attacks as was noted in earlier blogs, and can detect the use of the EternalBlue, stalling Ransomware attacks providing Incident Responders time to isolate the system and remediate the infection. Look here for more information.