Last week’s WannaCry ransomware attack hit thousands of computers worldwide; its largest impact being seen on the NHS where more than 40 healthcare institutions were impacted by the file-encrypting malware.
WannaCry has been linked to North Korean hackers but its spread is said to have emerged from a vulnerability published by a hacking group called The Shadow Brokers. Since the start of the year, the mysterious group has been publishing hacking tools that are alleged to have been stolen from the US National Security Agency.
WannaCry ransomware: what is it and how to protect yourself
Security firms are now claiming hackers are using this same ‘ETERNALBLUE’ vulnerability to infect machines with a different piece of malware. Researchers at both Proofpoint and Bitdefender have warned malware called Adylkuzz is infecting machines.
The spread of Adylkuzz is on a “very large-scale,” Proofpoint says. “Initial statistics suggest this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide,” the firm continued.
Wanna Decryptor ransomware appears to be spawning and this time it may not have a kill switch
Adylkuzz is described as a piece of malware that infects computers through the same means as WannaCry but, instead of locking files on computers, hides in the background and digitally makes money. It does not interfere with a user’s files but remains behind the scenes. Proofpoint says “symptoms” of the attack include loss of access to shared resources on Windows plus computers and servers running slowly.
In a similar way to Bitcoin mining, Adylkuzz is creating digital Monero currency by using the computing power of the infected machine. “While the amount of money generated from each individual machine infected is small, done on a large enough scale, it would still generate a significant amount of untraceable money for the perpetrators,” Bitdefender says in a statement.
“While the WannaCry spread revealed how many machines were still vulnerable to the malware, it appears the Adylkuzz infection may have been spreading, unnoticed, for several weeks,” Proofpoint adds.
“It should be noted the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24. This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive”.
Want to know more about the cyber threats of the future? WIRED Security 2017 returns to London in on September 28 to discuss the latest innovations, trends and threats in enterprise cyber defence, security intelligence and cybersecurity. Join us at King’s Place by booking your tickets today.