Ransomware: Cryptocurrency Extortion

On May 12, 2017, an unknown entity unleashed a massive cyberattack on vulnerable Microsoft Windows systems worldwide. Known to the world as WannaCry, the ransomware worm crippled the computer systems of a number of large organizations, including Telefόnica, Britain’s National Health Service, FedEx, Deutsche Bahn, and LATAM Airlines. The attack involves complete system encryption and the subsequent demand of a bitcoin ransom that equates to between $300 and $1,200 in order to achieve complete system recovery.

In the wake of the attack, security researchers have discovered that the WannaCry Ransomware utilized some of the recently leaked NSA hacking tools, specifically EternalBlue, a Server Message Block (SMB) exploit, and DoublePulsar, an NSA backdoor. However, according to cybersecurity firm proofpoint, the WannaCry attack wasn’t the first time both of these NSA tools were used for malicious purposes. The same two tools were previously used by cybercriminals to create botnets that mine Monero by installing a cryptocurrency mining malware known as Adylkuzz on compromised systems. As per proofpoint, “It should be noted that the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24.”

It further elaborated:

“Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.”

Botnets consist of a collection of “zombie” computers infected with malware that an attacker can control remotely. This is advantageous to cryptocurrency mining operations, as the rigorous process requires tremendous computational power. Researchers believe Monero was chosen due to its anonymous characteristics.

According to proofpoint, the Adylkuzz malware makes use of multiple addresses “to avoid having too many Moneros paid to a single address.” One address contained over $22,000 before all operations were ceased. Another address was found to have over $7,000, along with a third which contained a payment total of over $14,000.

Nevertheless, due to its successful implementation in two major cybersecurity attacks, proofpoint recommends that major organizations update their systems with the respective SMB patch released by Microsoft. The cybersecurity company states:

“Two major campaigns have now employed the attack tools and vulnerability; we expect others will follow and recommend that organizations and individuals patch their machines as soon as possible.”