Adylkuzz: How WannaCry Ransomware Attack Alerted The World To Even Worse Threats

Image: Canadian Institute of Mining, CC-BY

Your garden variety ransomware, like Cerber, is the canary in the coal mine that rudely, but thankfully announces bigger security issues: insider threats and cyberattacks that take advantage of too much employee access to files. As disruptive as WannaCry has been to vulnerable organizations, this is their canary in the coal mine moment that should alert them to more deadly attacks that don’t announce their presence, like the cryptocurrency miner Adylkuzz.

Researchers at Proofpoint have identified an attack that is larger and sneakier than WannaCry, and one that may have slowed WannaCry’s spread. Adylkuzz is a malware that uses the same exploits designed by the NSA and utilized in the WannaCry attack, but instead of announcing itself, it quietly installs a hidden program to mine for cryptocurrency that the attackers can then use. Even more interesting, Adylkuzz then blocks the SMB port to avoid further infection, such as a WannaCry infection.

Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.

Adylkuzz has over 20 hosts designed to scan and launch attacks, and more than a dozen command and control (C&C) servers at any given time. Within 20 minutes of connecting a test computer with the known vulnerability to the Internet, it was infected with Adylkuzz.

In this instance, instead of your files being held hostage, your processing power is drained and you’re out a few thousand Moneros.  But none of this compares to the hacker who decides to play the long game with DoublePulsar and EternalBlue and stealthily survey and exfiltrate all the health records, student records, intellectual property and incriminating emails they can get their hands on.

WannaCry changed the world and proved that the bad guys will find their way past any perimeter security.  Defense-in-depth should be on your mind. The value of information and the systems that store it is clear – very few organizations can function when their data is inaccessible – no one can function when their data is stolen and their organizational reputation destroyed. If you don’t address the vulnerabilities surrounding your data and your systems you will lose. Obviously you need to patch, but you can’t stop there – you need to continually question your layers of defense: What if a user’s account or system gets compromised? What data can that account access? How would I see abuse? What would it mean if this data was lost or stolen?

No one can prepare for every possible scenario, but organizations need to raise their game. If an organization is patched, restricts employee access to data and systems, and monitors and alerts on unusual activity, they should be in reasonably good shape to withstand this and other attacks.

Varonis stops ransomware by, 1) reducing what normal employee accounts can access (pruning privileges they don’t need), 2) watching how users use data to spot attacks like ransomware in progress, and 3) automatically locking out offending accounts.

Learn how we’re helping out customers spot and stop ransomware and other insider threats: https://www.varonis.com/ransomware-solutions.

Image: Canadian Institute of Mining, CC-BY

Get the latest security news in your inbox.