Giuseppe Sandro Mela.
«WannaCry, chiamato anche WanaCrypt0r 2.0, è un virus informatico responsabile di un’epidemia su larga scala avvenuta nel maggio 2017. Il virus, di tipologia ransomware, cripta i file presenti sul computer e chiede un riscatto di alcune centinaia di dollari per decriptarli.
Il 12 maggio 2017 il malware ha infettato i sistemi informatici di numerose aziende e organizzazioni in tutto il mondo, tra cui Portugal Telecom, Deutsche Bahn, FedEx, Telefónica, Tuenti, Renault, il National Health Service, il Ministero dell’interno russo, l’Università degli Studi di Milano-Bicocca.
Al 16 maggio sono stati colpiti più di duecentomila computer in almeno 99 paesi, rendendolo uno dei maggiori contagi informatici mai avvenuti.
WannaCry sfrutta una vulnerabilità di SMB, tramite un exploit chiamato EternalBlue e sviluppato dalla National Security Agency statunitense per attaccare sistemi informatici basati sul sistema operativo Microsoft Windows. EternalBlue era stato rubato da un gruppo di hacker che si fanno chiamare The Shadow Brokers e pubblicato in rete il 14 aprile 2017.
Il malware viene diffuso attraverso finte email e, dopo che viene installato su un computer, comincia a infettare altri sistemi presenti sulla stessa rete e quelli vulnerabili esposti a internet, che vengono infettati senza alcun intervento dell’utente. Quando infetta un computer, WannaCry cripta i file bloccandone l’accesso e aggiunge l’estensione .WCRY; impedisce inoltre il riavvio del sistema» [Fonte]
→ MIT Technology Review. 2017-05-17. WannaCry Has a More Lucrative Cousin That Mines Cryptocurrency for Its Masters
The same exploits that enabled WannaCry to spread globally have been in use in another malware attack since April, making far more money in the process.
The same exploits that allowed the WannaCry ransomware attack to spread so quickly have been used to set up an illicit cryptocurrency mining scheme. And it sure was worth it to the hackers.
Late last week, the world was hit by ransomware that locked up computers in hospitals, universities, and private firms, demanding Bitcoin in exchange for files being decrypted. It was able to spread so fast thanks to a Windows flaw weaponized by the U.S. National Security Agency known as EternalBlue, and a back door called DoublePulsar. Sadly, the tools were inadvertently lost and leaked because the NSA considered it wise to stockpile them for future use.
WannaCry was halted by swift work on behalf of dedicated security researchers. But during investigations into the attack, security firm Proofpoint has found that another piece of malware, called Adylkuzz, makes use of the same exploits to spread itself around the word’s insecure Windows devices.
This particular hack has gone unnoticed since April. That’s because unlike WannaCry, which demands attention to get money directly from a user, Adylkuzz simply installs a piece of software and then borrows a PC’s resources. It then sets about mining the little-known cryptocurrency called Monero using your computer. It does so in the background, with users potentially unaware of its presence—though perhaps a little frustrated because their computers are slower than usual.
It makes sense that EternalBlue and DoublePulsar are being used in this way, said Nolen Scaife, a security researcher at the University of Florida. The combination of exploits allows attackers to load just about any type of malware they want onto compromised machines. “It’s important to stress that it could be anything—it could be keyloggers, for example,” he told MIT Technology Review. “But what we’re seeing is that attackers are using this wherever this makes the most money.”
Interestingly, though, it’s the attack that has until now gone unnoticed that has secured the most loot. WannaCry’s attempt to extort cash in return for unlocking encrypted files has only drummed up $80,000 at the time of writing—probably because Bitcoin, the currency WannaCry’s perpetrators are demanding, is hard to use. Meanwhile one estimate suggests that the Adylkuzz attack could have already raised as much as $1 million.
In some sense, Adylkuzz is less problematic than WannaCry. It’s certainly less overtly destructive. But it does raise a more pressing cause for concern: if it’s been running since April, how many other leaked NSA tools have been used to carry out attacks that have so far gone unnoticed? Stay tuned—there may be more to come.
(Read more: Proofpoint, Reuters, “The WannaCry Ransomware Attack Could’ve Been a Lot Worse,” “Security Experts Agree: The NSA Was Hacked,” “Should the Government Keep Stockpiling Software Bugs?”)