In April 2017 the ShadowBrokers hacker group leaked EternalBlue – a Windows OS exploit. This exploit was turned into a devastating ransomware just a month after its release to the public, when it was dubbed WannaCry. WannaCry is a blackmailing tool which encrypts a hard drive and asks the owners for ransom in the form of Bitcoin within a week, otherwise it deletes all data on the infected computer.
These days EternalBlue has a new purpose – mining. This worm is called WannaMine and while it may not seem as devastating as WannaCry at first glance, CrowdStrike claims companies and institutions are being taken offline for weeks at a time because of the mining locking up their computers with off-the-charts CPU usage.
The number of infected machines keeps growing because it’s exceptionally difficult to detect infections. The exploit does not rely on downloading additional software, and the computer is easily infected by opening an email or a web page. WannaMine then uses the Powershell and Windows Management Instrumentation apps to do its dirty work.
WannaMine does not utilize EternalBlue immediately – it first uses Mimikatz, a tool which pulls usernames and passwords out of computer memory. If this fails, EternalBlue activates. Should a computer be connected to a larger network and the harvesting of data proves successful, the whole network gets infected.
The cryptocurrency being mined is Monero because it doesn’t need expensive hardware and can be mined on a personal computer invisibly. The only way to notice it is noticing the computer slowing down.
Adyllkuzz was the first worm which used EternalBlue, but WannaMine is far more sophisticated in that it doesn’t download additional tools. By using tools already present on every Windows machine, WannaMine easily remains undetected for long periods of time.
More infections are expected before a good antidote is developed.