Your browser is obsolete!

The page may not load correctly.

Encrypt everything

Закодировать всё

Other issues in this category (24)
  • add to favourites
    Add to Bookmarks

WannaCry: Talents and their fans

Read: 34927 Comments: 2 Rating: 9

Tuesday, May 30, 2017

Recall, if you will, that WannaCry relies on the use of tools and exploits that were made publicly available by The Shadow Brokers who stole them from Equation Group which is suspected of having ties to the US National Security Agency.

The WannaCry “epidemic” (yes, in quotation marks) looks rather strange:

  1. Unlike ordinary encryption ransomware programs, which spread with spam mailings and whose impact is proportional to the quantity of unsolicited mailings involved, WannaCry gets into machines a different way. In contrast to other programs, WannaCry resembles a pyramid scheme: every newly infected machine attempts to infect other hosts on both the local network and the Internet. It very much resembles the outbreaks that occurred in the early 2000s. But the outcome! Melissa infected 20% of computers worldwide. I Love You! compromised millions of PCs in just hours. Perhaps, the Internet has become a more secure place since then?

    Over 18% of PCs run pirated versions of Windows, while 23% of machines have Windows Update disabled.

    But what about WannaCry? According to various estimates 200,000 to 400,000 computers have been infected.

    According to MalwareHunter, on May 19 XData infected four times as many machines in the Ukraine as the notorious WannaCry did in an entire week.

    Have you read about XData (a.k.a. Trojan.Encoder.11526 under the Dr.Web classification system) in the media? It’s an odd case.

  2. The attack affected almost exclusively large companies and private individuals; the number of small and medium businesses impacted was insignificant.

    Here’s how Doctor Web's partners replied to the question about whether the small and medium-size businesses among their customers had been affected (company names have been removed):

    M..:not yet А..:no А..:no В..:no В..:no one was affected, but everyone is scared :)

    Isn’t that strange given the fact that the malware uses a sophisticated technique to infect targeted computers? Meanwhile, the publicity was enormous.

    What do you think—why was this particular encryption ransomware species so widely discussed in the media? Conspiracy theories?

    A question to Doctor Web's partners during a webinar

  3. Decryption is not guaranteed because the encryption keys that are used to show users that recovery is feasible differ from the keys that are used to compromise their other files.
  4. The ransom amount (from 300 USD in bitcoins) is quite affordable for most of the companies that have been affected. Many of them have refused to pay it in order to preserve their reputation.

All in all, the WannaCry outbreak spawned a huge number of media reports, a small number of infections, and meagre earnings for the criminals. Who profits the most? It’s unclear.

However, the minimum takeaway on this is that people wanting to make money observed the following:

  1. There’s a way to attack at least a quarter of the world’s computers.
  2. There is a guaranteed way to penetrate targeted machines—no need to rely on users clicking on links because once a Trojan gets inside, it automatically acquires administrator privileges.

WannaCry is far from being a complex malicious program, and its shortcomings have been discussed by media organisations around the world:

  1. It doesn't use re-encryption.
  2. It doesn't conceal its presence from anti-viruses.
  3. It uses a vulnerable procedure to communicate with its command and control (C&C) server.

One doesn't need to be a fortune teller to predict what’s going to happen next:


Security researcher Miroslav Stampar discovered the malware EternalRocks, which uses seven NSA leaked hacking tools simultaneously—EternalBlue, Eternalchampion, Eternalromance, Eternalsynergy, Doublepulsar, Architouch and SMBtouch.

To deceive security researchers, EternalRocks disguises itself as the WannaCry worm; however, unlike the latter it doesn't download ransomware onto targeted machines. The malware is used to prepare a targeted system for further attacks.

EternalRocks communicates with its C&C server over Tor. After receiving its first query from the worm, the server replies an entire 24 hours later, sending it the file Once it extracts the file’s contents, the worm starts scanning hosts on the Internet to detect systems that have an open port 445. Unlike WannaCry, it doesn't have a kill switch in the form of a domain name. In a compromised system, EternalRocks gains administrative privileges, and even if a vulnerability patch is later applied on the machine, the worm remains operational.

It is apparent that the malware (detected by Dr.Web as Trojan.EternalRocks.1) enjoys more sophisticated code–as many as 7 hacking tools!


The EternalBlue exploit attack vector leveraged by WannaCry was also used to spread the cryptocurrency miner Adylkuzz.

Three (the most advanced option):

UIWIX is a new malware family. Similarly to WannaCry, this malware exploits the SMB vulnerability that was patched under the MS17-010 security bulletin. The exploit for the vulnerability (EternalBlue) had supposedly been at the NSA's disposal until The Shadow Brokers’ hackers made it available to the general public.

Apart from exploiting the same vulnerability, UIWIX and WannaCry have nothing in common. Unlike WannaCry, UIWIX doesn't exist as files. After the exploit is applied, the rest of the malicious code is executed only in the memory. In the course of an attack, no component files are written onto the hard drive which complicates the malicious program's detection. UIWIX is much stealthier than WannaCry. If the malware finds itself running on a virtual machine or in a sandbox of any kind, it destroys itself. The self-destruct mechanism is also triggered if the ransomware ends up on a computer in Russia, Kazakhstan or Belarus.

Unlike WannaCry, UIWIX doesn't persist in a system after it’s been restarted, and its code doesn't contain a domain name kill switch. UIWIX’s authors are demanding a smaller ransom—$200 rather than $300 to $600—for file decryption.

An analysis of UIWIX’s code revealed that it can collect browser, email, instant messenger, and FTP server authorisation data.

Dr.Web detects this ransomware program as Trojan.Encoder.11536. It evades detection by anti-viruses and detects virtual machines and sandboxes.

Will exploiting vulnerabilities become a popular means of infection? Time will tell.

#encryption_ransomware #ransomware #Trojan.Encoder #cybercrime #cyber-crime #virus-maker #security_update #vulnerability #extortion

The Anti-virus Times recommends

  • What security experts have been warning us about has finally happened: updates MUST be installed for ALL the applications in a system. If you’re feeling ambitious you can count up how many times we’ve written about this in the Anti-virus Times. Because, if you don't update the software on your machine, the outcome can be something like this:


    The impact of an encryption ransomware attack; the photo was taken from

    We’ve repeatedly indicated that publishing information about vulnerabilities is a bad idea because even though patches are released for them, users neglect to install them. They just never do it. Criminals are aware of this too!

    My personal laptop runs Windows 7 Home Premium and installs all the patches automatically whenever I turn it on…

    And my Windows 10 tablet also installs patches automatically as soon as it is powered on… Don't corporate desktops and laptops automatically have their operating systems updated whenever they are turned on or shut down?

    A journalist’s question to Doctor Web’s PR service

    Often, as soon as information about a vulnerability is published (and a security patch is released), massive attacks are mounted by hackers and script kiddies—the latter are people who can't discover vulnerabilities and design exploits but rather use the results of someone else's work.

    If patches were installed on all computers, none of the above-mentioned Trojans would ever knock on their doors.

    My father-in-law got one… He was playing World of Tanks and went AFK to get a cup of tea. When he came back to his rig, he discovered a ransomware message window saying that all of his files were encrypted.

    Reported by a participant in one of Doctor Web's partner webinars

  • Disable all the services you don’t use. To make a WannaCry attack impossible, you don't even need to install the security patch. Just run one system command! And by the way, the recommendation to disable SMBv1 was published back in 2016, Carl!


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.