When the ShadowBrokers first published the code for EternalBlue — an NSA exploit targeting Windows’ file-sharing protocol — researchers knew it was a bad bug. But most had no idea of the scale of the damage that would be caused by the vulnerability.
Much of that damage has only become visible in recent days, as a ransomware program dubbed “WannaCry” locked up computers from the UK’s National Health Service to the Russian Ministry of the Interior. Some of the damage caused by EternalBlue was harder to spot, caused by more discreet malware designed to infect and monetize computers without leaving a trace. As researchers look for clues as to WannaCry’s origins, more of those programs are coming to light, and giving us more information about the sheer scale of the damage caused by Eternal Blue.
A $43,000 cryptocurrency scheme
One of those programs, called Adylkuzz, exploits the vulnerability to mine an obscure cryptocurrency called Monero. According to research released this week by Proofpoint, Adylkuzz became active sometime between April 24th and May 2nd, weeks before WannaCry burst onto the scene. Researchers estimate it reached hundreds of thousands of devices, spreading through the same Windows vulnerability exploited by WannaCry.
Adylkuzz didn’t cause the same stir because it wasn’t shutting down computers or sending ransom notes — all the program did was perform Monero’s mining operation in the background. While that’s definitely not good for your computer, it’s not catastrophic enough to raise alarms, allowing the program to remain undetected until the WannaCry fiasco drew more attention. In fact, because Adylkuzz closed the EternalBlue vulnerability once it infected a machine, researchers suspect the program actually limited the spread of the more damaging ransomware.
Despite the low profile, Adylkuzz was nearly as profitable as WannaCry. Proofpoint identified at least $43,000 paid out as part of the scheme, and it’s likely other wallets would raise the figure even further. So far, roughly $80,000 has been paid out to known WannaCry wallets, a surprisingly low figure given the chaos caused by the attacks. At least one other EternalBlue-powered cryptocurrency miner has been spotted in the wild, and there may be others that are yet undiscovered.
“WannaCry burned the match for EternalBlue.”
There has also been an explosion of WannaCry variants, possibly the work of copycats. Researchers located a kill-switch domain over the weekend that blocked the initial attack, but in the days since, a handful of alternate versions of the ransomware have popped up either pointing to new domains or with no kill-switch protocol at all. But researchers are split on the origin of the variants, with some pointing to code corruption issues as evidence of a third party at work.
Earlier today, researchers at TrendMicro announced the discovery of an entirely new variant called UIWIX. Like WannaCry, it’s a ransomware program built on EternalBlue — but UIWIX is able to infect machines without writing files to permanent storage, making it far harder to detect through conventional forensics. It also adds new methods to throw off researchers observing it in a virtual environment, leading TrendMicro to suspect a separate group is responsible for the new attack.
That combination of new and old variants make it harder to definitively say who was responsible for the initial WannaCry infections, as it grows increasingly likely that multiple actors are in play. The question has become particularly urgent after Symantec and Kaspersky announced evidence tying the initial attack to a previously researched North Korean cybercrime group.
The good news: patching the single vulnerability will protect against all the different variants, particularly now that Microsoft has released its emergency XP patch. As a result, some researchers see WannaCry’s sudden fame as a powerful weapon against the lesser-known bugs. “I think that WannaCry caused a few cybercriminals to accelerate their timelines,” said Trend Micro cloud research VP Mark Ninnukhoven. “WannaCry burned the match for EternalBlue. For defenders this is a really good thing as WannaCry — which did cause some real-world damage and has frustrated organizations worldwide — wasn’t nearly as malicious as other malware and ransomware that we’ve seen previously.”