WannaCry again? Meet Adylkuzz, its sneaky cryptocurrency mining sibling

More than 400,000 computers wrldwide have been infected with WannaCry ransomware since the beginning of the devastating attack on May 12th, 2017. WannaCry has compromised standalone and networked Windows computers, at home and in the enterprise.The initial attack was made possible because of EternalBlue, the vulnerabilityexposed by the Shadow Brokers, an anonymous group who claim they will expose more zero-day vulnerabilities soon. Around the same time experts were trying to handle the WannaCry attack,they detected another computer virus in the same family as WannaCry:Adylkuzz.

What is Adylkuzz? 

Silently installing itself in the background of your computer, Adylkuzz is a virus that runs software which mines Monero,a cryptocurrency similar to Bitcoin. This virus exploits the Doublepulsar and EternalBlue vulnerabilities for attacking systems, and neutralizes Server Message Block(SMB) networking to prevent further attacks from other malware via that same vulnerability.Surprisingly, WannaCry could have had a larger impact if Adylkuzz didn't prevent other malware from exploiting the SMB vulnerability.

Discovery of Adylkuzz

While exploring the impact of WannaCry, a few security researchers exposed their lab machines to the EternalBlue vulnerability to identify exactly how WannaCry infects systems; instead, they discovered new malware called Adylkuzz,which was more prominent than WannaCry. Those researchersrepeated the operation a few times, exposing a few other machines with the same vulnerability to the web. Their machines ended up being enrolledin an Adylkuzz mining botnet, which activates this virus.

How does Adylkuzz infiltrate your network?

Adylkuzz is executed from various virtual private servers that scan for a point of entryon TCP port 445. After successful exploitation using EternalBlue, machines are then infected with DoublePulsar. DoublePulsar opens a backdoor for the download and installationof Adylkuzz from another host. After installation, Adylkuzz blocks SMB communication to avoid further infection. Adylkuzz then identifiesthe victim's public IP address and downloads the mining instructions to their computer. At any given instant, there are multiple Adylkuzz command and control servers hosting the cryptominer binaries and mining instructions.

Where do cryptocurrencies fit into the mix?

Over the last few years, cryptocurrencies have been gaining traction, and the cryptocurrency market has recently passed $77 billion. Most cryptocurrencies have the ability to transfer funds directly to an address—a wallet—and many people employ this feature for mundanemeans,such as making international transactions. But cryptocurrency also has some nefarious uses, like among individuals working with viruses and black market affairs.

Mining is the only way to generate cryptocurrencies like Monero, but it's a slow process that requires a considerable amount of processing power. Cryptocurrency mining malware like Adylkuzz implements hidden mining processes on infected machines to generate cryptocurrency without draining any of the hacker's own resources. Adylkuzz significantly slows down infected computers while downloading and executing mining instructions or performing mining operations. Monero, the cryptocurrency mined by Adylkuzz, gainedpopularity after AlphaBay, a major darknet market, began accepting it for payment. Even the hackers who developed WannaCry utilized cryptocurrency, requiring infected users to pay ransom with Bitcoin.

Stay secure by patching your systems

Adylkuzz's attackbegan in parallel with WannaCry. Unfortunately, unlike WannaCry,Adylkuzz infections are difficult for end users to identify and the hackers recently changed the address where mined Monerois delivered.With attacks like WannaCry and Adylkuzz exploitingnetworks around the world, practicing the right security measures is essential for staying ahead.One of the most effective ways to prevent the exploitation of known software vulnerabilities is by patching.

Security professionals are working hard on a daily basis to stop breaches, andIT companies are rushing to patch computers. Now is the time for leaders to start brainstorming ways to keep their organizations secure in the future. Experts suggest organizations should employ an endpoint management solution to keep their systems up-to-date, allowing them to avoid any vulnerabilities that may crop up  

For those who haven't implemented the SMB patch that Windows released last month, theirPCs and servers will remain vulnerable to Adylkuzz and other viruses that implement this type of attack. Ransomware and viral cryptocurrency miners are disruptive and costly, and now that two major threats have employed them in their attack tools and used the same vulnerability, we expect other threats will follow soon.

Protect yourself from copycat attacks and all of WannaCry's "siblings" with an effective patch management solution. There's no excuse for leaving vulnerabilities unchecked.