No Ransom Demand? Your Network May Still be a Victim of the EternalBlue Vulnerability

Cyber security researchers across the world have seen instances where organizations that have seen no obvious impact from the WannaCry ransomware (and other ransomware variants of WannaCry) have still experienced network issues.

Of course, not all network issues are connected to external attacks, but it turns out that even if you have avoided infections by WannaCry, your network could still be seriously compromised by specifically two other malware variants that use the same underlying Microsoft Windows vulnerabilities –“EternalBlue” and “DoublePulsar.”

Another piece of malware that exploits the same vulnerabilities –“Adylkuzz” – began circulating before WannaCry, perhaps as early as late April. Adylkuzz has an entirely different objective than WannaCry and is not ransomware.

What is Adylkuzz?

Adylkuzz is designed to steal computer processing power to carry out cryptocurrency mining for the “Monero” virtual currency. Monero is similar to the more well-known bitcoin, however, the developers claim that it is significantly more anonymous than bitcoin. Some sites on the dark web catering to cyber criminals have used it to reduce the chance of transactions being tied to the people who engaged in them. Like the methodology that drives bitcoin transactions, there is a complex mathematical problem used to validate the shared ledger, and the person who successfully solves the math problem is rewarded with virtual currency. It is alleged that the botnet created by Adylkuzz has reaped thousands of dollars of these rewards for whoever launched the Adylkuzz malware.

Certainly, Adylkuzz is not going to encrypt your files or ask you for ransom. But it is by no means innocuous, as shown by researchers who connected a vulnerable computer to the global internet. Infection with the Adylkuzz malware occurred within minutes. When operating in your network as part of a huge botnet designed to enable its operators to receive the rewards for successfully mining Monero virtual currency, you may see that the performance of servers and user-machines is degraded, and may also discover that the affected machines can’t access shared Windows resources. This malware, because it doesn’t interact with your users, is somewhat stealthy, but you don’t want it in your network compromising system resources and performance.

How to Tell If You Have Been Attacked by Malware

To determine if an enterprise has been attacked by WannaCry, Adylkuzz, or any malware exploiting the EternalBlue and DoublePulsar vulnerabilities, IT security departments can obtain the specific IP addresses that represent the IOCs (Indicators of Compromise) from a number of trusted sources. We recommend that you pass this message along to your IT security team to ensure they are aware of the potential problem and can take steps to determine if you have been compromised by these malware variants.

The information on this page may have been provided by a contributor to ChinaGoAbroad, and ChinaGoAbroad makes no guarantees about the accuracy of any content. All content shall be used for informational purposes only. Contributors must obtain all necessary licenses and/or ownership rights from the relevant content owner(s) before submitting such content (including texts, pictures, photos and diagrams) to ChinaGoAbroad for publication. ChinaGoAbroad disclaims all liability arising from the publication of any content/information (such as texts, pictures, photos and diagrams that infringe on any copyright) received from contributors. Links may direct to third party sites out of the control of ChinaGoAbroad, and such links shall not be considered an endorsement by ChinaGoAbroad of any information contained on such third party sites. Please refer to our Disclaimer for more details.