Adylkuzz, the cryptocurrency mining botnet that travels in the shadow of WannaCry
With its May 12 onslaught, the WannaCry (also known as WannaCrypt, WannaCrypt0r, or WCry) ransomware has generated numerous headlines. It does have all the elements of a good story: stockpiled vulnerabilities from a US spy agency, release from mysterious hacker group, widespread impact on individuals and hospitals around the globe, and even rumors that the entire attack was the clever work of a rogue nation.
But there is more to the story. Researchers have found a more quiet malware that is exploiting the same vulnerabilities to mine for cryptocurrency on infected computers. And while ransomware gets attention by encrypting files, freezing out users, and sending them a threatening ransom demand note, this bit of malware named Adylkuzz stays undercover as it quietly steals the computing capabilities of infected machines and networks to mine cryptocurrency and then send the results of its work back to a mysterious server.
“Why isn’t this malware getting attention? Because there is no offensive ransom note on the monitor or file encryption. It is only stealing your processor time to calculate bitcoins in the background,” explained Alexander Vukcevic, head of the Avira Virus Lab. Typical symptoms of an infection are the loss of access to shared Windows services and a degradation of PC and server performance.
Same song, first verse
The rollout of Adylkuzz utilizes the same leaked NSA vulnerabilities used in WannaCry. It targets unpatched vulnerabilities and uses a worm-like feature to spread through computer networks – all without requiring any user involvement or social engineering tactics. Adylkuzz also preceded WannaCry by several weeks according to the researchers. But, thanks to its strategy of quietly mining Monero cryptocurrency in the background, it remained off the radar screen of the public and the security community.
Money for nothing, Monero for free
Adylkuzz may be a far more effective moneymaker than the WannaCry ransomware which has – in spite of infecting several hundred thousand devices – only secured an estimated $70,000.
The Monero cryptocurrency, with an exchange rate of 25 Euro (~28 US Dollar), is designed for using insecure, untraceable transactions. While it may be less known than Bitcoin, it is reportedly easier to mine across a botnet of infected computers. Researchers have spotted over 20 hosts scanning for new victims to attack and a dozen C&C servers for managing the action and receiving the newly minted funds. They’re confident that there are more. Rather perversely, by blocking additional attacks on the vulnerable Microsoft Server Message Block (SMB) Adylkuzz may have helped to slow the rapid spread of WannaCry.
Security is a state of mind
In most cases, the spread of both Adylkuzz and WannCry has been a matter of personal IT hygiene. Just like the dentist recommends regular flossing to prevent the buildup of plaque it is essential that computer users keep their devices updated with the latest patches. The spread of WannaCry – and the believed spread of Adylkuzz – mirrors where people are using outdated or pirated software and not keeping their devices fully patched.
“Armed with a hot vulnerability, it is really the cybercriminal’s decision how they want to exploit it – whether through data mining the Adylkuzz cryptocurrency, a more traditional ransomware, or the next greatest threat,” said Alexander Vukcevic. “While we do block it with our Avira Protection Cloud detection, it is essential that users keep their machines patched and the easiest way to do this is with a software updater.”
Our Software Updater Pro helps you stay updated and fully patched in the easiest way: the fully automatic and one-click modes do the job for you so that you can enjoy a carefree digital experience.