What you need to know about “Adylkuzz”, the stealthy ransomware attack that could be bigger than “WannaCry”
Thursday, May 18, 2017/
A new strain of cyber attack that could potentially reach further than last week’s devastating “WannaCry” ransomware has been uncovered, with hundreds of thousands of computers affected worldwide without users even realising.
The attack, which was uncovered by cybersecurity firm Proofpoint, has been dubbed “Adylkuzz”, and is continuing to infect computers around the world. Adylkuzz takes advantage of the same SMB exploit used in the WannaCry ransomware attack, but unlike WannaCry it does not lock down users’ files or announce its presence in any way.
Instead, Proofpoint reports the attack works in the background of infected computers and uses their computing power to “mine” a digital currency called Monero.
Digital currencies like Bitcoin or Monero can be “mined” by making computers crack increasingly difficult mathematical equations to create what’s known as a “hash”. These hashes form part of the “blocks” in the blockchain, and miners are rewarded with the currency each time their computer figures out one of these hashes.
The Adylkuzz attack uses infected computers as a large-scale mining network, draining their computing power to run a small mining program, which attempts to work out these equations to be rewarded with the currency. Proofpoint claims the hackers have reaped well upwards of $US44,000 in Monero over the course of the attack, which is still ongoing.
It is likely Adylkuzz predates the WannaCry attack, with Proofpoint suspecting computers were infected by the malware as early as May 2. The attack has existed undetected so far due to the stealthy nature of the malware, with the only symptoms being slow or sluggish performance and the disabling of some sharing functionalities on Windows.
“Unlike ransomware, no demands for money are made of victims. The malware is deliberately stealthy; users will only notice their Windows machine is running slowly and that they don’t have access to shared Windows resources,” senior vice president at Proofpoint Ryan Kalember said in a statement.
“Currently tens of thousands of computers worldwide are affected as part of this worldwide attack, and it’s rapidly growing.”
“There might not be anything malicious about it”
Just like the WannaCry attack, computers that are vulnerable to Adylkuzz are those running older versions of Windows, or users that have have not updated their systems since March. If businesses are worried about their systems being infected, cyber security expert at Sense of Security Michael McKinnon advises sweeping the system with malware-detecting antivirus software.
However, McKinnon says as the attack isn’t doing anything outright malicious or illegal, it may be hard for some software to detect it.
“This is a grey area for antivirus software, as the Adylkuzz software might be an application you’d run when you’re legitimately trying to mine a currency. There might not be anything malicious about it,” he says.
“It’s not damaging or locking down your files, it’s very mild in comparison to the WannaCry attack we saw earlier this week.”
Despite the invasive software not outright damaging users’ systems, McKinnon warns of potential “secondary dangers” with the Adylkuzz software, noting it could have its own vulnerabilities and could leave systems open for future compromises.
“At a base level it’s exploiting and cashing in on your electricity bill and server processing time,” he says.
Businesses with up-to-date systems would not have been exposed to this attack, says McKinnon, and he advises businesses to keep systems auto-updated as well as i robust firewalls for their computers. As this attack uses the same exploit as the WannaCry ransomware, advice for protecting against that attack still applies.
Along with running antivirus scanning tools, McKinnon recommends SMEs regularly carry out comprehensive backups of important files.
“Ensuring you’ve got full backups of your system is the ultimate defence for any business,” he says.
“Even if you’ve got concern over a machine you’re using, you can tear it down, restore from backups and start again running with clean systems.”