Adylkuzz: How WannaCry Ransomware Attack Alerted The World To Even Worse Threats

Your garden variety ransomware, like Cerber, is the canary in the coal mine that rudely, but thankfully announces bigger security issues: insider threats and cyberattacks that take advantage of too...
Rachel Hunt
2 min read
Last updated January 17, 2023

Your garden variety ransomware, like Cerber, is the canary in the coal mine that rudely, but thankfully announces bigger security issues: insider threats and cyberattacks that take advantage of too much employee access to files. As disruptive as WannaCry has been to vulnerable organizations, this is their canary in the coal mine moment that should alert them to more deadly attacks that don’t announce their presence, like the cryptocurrency miner Adylkuzz.

Researchers at Proofpoint have identified an attack that is larger and sneakier than WannaCry, and one that may have slowed WannaCry’s spread. Adylkuzz is a malware that uses the same exploits designed by the NSA and utilized in the WannaCry attack, but instead of announcing itself, it quietly installs a hidden program to mine for cryptocurrency that the attackers can then use. Even more interesting, Adylkuzz then blocks the SMB port to avoid further infection, such as a WannaCry infection.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.

Adylkuzz has over 20 hosts designed to scan and launch attacks, and more than a dozen command and control (C&C) servers at any given time. Within 20 minutes of connecting a test computer with the known vulnerability to the Internet, it was infected with Adylkuzz.

In this instance, instead of your files being held hostage, your processing power is drained and you’re out a few thousand Moneros.  But none of this compares to the hacker who decides to play the long game with DoublePulsar and EternalBlue and stealthily survey and exfiltrate all the health records, student records, intellectual property and incriminating emails they can get their hands on.

WannaCry changed the world and proved that the bad guys will find their way past any perimeter security.  Defense-in-depth should be on your mind. The value of information and the systems that store it is clear – very few organizations can function when their data is inaccessible – no one can function when their data is stolen and their organizational reputation destroyed. If you don’t address the vulnerabilities surrounding your data and your systems you will lose. Obviously you need to patch, but you can’t stop there – you need to continually question your layers of defense: What if a user’s account or system gets compromised? What data can that account access? How would I see abuse? What would it mean if this data was lost or stolen?

No one can prepare for every possible scenario, but organizations need to raise their game. If an organization is patched, restricts employee access to data and systems, and monitors and alerts on unusual activity, they should be in reasonably good shape to withstand this and other attacks.

Varonis stops ransomware by, 1) reducing what normal employee accounts can access (pruning privileges they don’t need), 2) watching how users use data to spot attacks like ransomware in progress, and 3) automatically locking out offending accounts.

Learn how we’re helping out customers spot and stop ransomware and other insider threats: https://www.varonis.com/ransomware-solutions.

Image: Canadian Institute of Mining, CC-BY

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

the-world-in-data-breaches
The World in Data Breaches
The number of lost or stolen data records varies around the world. Using data from the Breach Level Index, we visualized where these records are concentrated based on the locations of the organizations that reported them. Take a look!
when-a-cyber-attack-is-a-political-weapon
When a Cyber Attack Is a Political Weapon
We’re not surprised when hackers attack companies to scoop up credit card numbers or to cause IT disruption. If they’re state sponsored, they may target organizations to pull out intellectual...
the-eu-ai-act:-what-it-is-and-why-it’s-important
The EU AI Act: What it is and Why it’s Important
An overview of the world’s first comprehensive AI regulation, its compliance requirements, and how to prevent penalties of up to €35 million ($38 million).
capital-one's-cloud-breach-&-why-data-centric-security-matters
Capital One's Cloud Breach & Why Data-Centric Security Matters
Capital One’s breach of more than 100 million customer records is making headlines around the world. The sheer number of stolen records, including social security numbers, credit card applications, and...