Systems Vulnerable to WannaCry also at Risk of UIWIX Ransomware and Adylkuzz Botnet Infections
Following the WannaCry ransomware outbreak, Microsoft Windows systems and servers vulnerable to the EternalBlue SMBv1 exploit are also vulnerable to additional malware including, but not limited to, the Adylkuzz botnet and UIWIX ransomware variant. While analyzing the WannaCry campaign, Proofpoint researchers discovered the existence of Adylkuzz, a cryptocurrency-mining botnet that infected their lab system. The infection spread by exploiting the same SMB vulnerability for which Microsoft issued a Security Update on March 14 and subsequent patches for unsupported operating systems on May 13. On Tuesday, Trend Micro reported observing UIWIX, a new fileless ransomware threat that appears to exploit the same vulnerability as WannaCry. However, this variant does not contain a “kill switch” feature that would allow the developer or a researcher to disarm it at will. The publicity surrounding the WannaCry incident has brought worldwide attention to the EternalBlue exploit and the SMB vulnerability, and will likely result in increased interest among cybercriminals or nation-state actors to develop even more disruptive ransomware capabilities. The NJCCIC recommends users and administrators continue to patch systems vulnerable to the EternalBlue exploit, block inbound traffic to TCP port 445, and use the Indicators of Compromise (IoCs) published in the following reports to scan their systems and networks for infections. Proofpoint’s analysis on Adylkuzz, including IoCs, is available here. Trend Micro’s report on the UIWIX ransomware campaign, along with IoCs, is available here. For more information on fileless threats, please read the NJCCIC's Threat Analysis report titled Fileless: Evasive Intrusion Tactics Pose Challenge for Network Defense.