Sudden burst of ransomware WannaRen trace analysis toss a circle as if no one paid the ransom

A new ransomware called WannaRen has exploded , and its main feature is a copy of the WannaCry ransomware that broke out in 2017 . However, after analysis by security researchers, it was determined that the ransomware had nothing to do with WannaCry, and that the ransomware was largely the work of domestic attackers. And the originator behind it is also long-term active in the domestic gray-black industry, after its development team mainly spread Trojan virus and then loaded mining modules for mining.

Just this slightly unexpected this development team suddenly began to do ransomware, do not know whether the currency ring market is not very good virus developers want to change ideas to make money.

Sudden burst of ransomware WannaRen trace analysis toss a circle as if no one paid the ransom

The hacking team named Shadow:

Qihoo 360 security team analysis found that the ransomware developers are in fact the shadow hacker team, this hacker team in the domestic front is also more. 360 Secure Brain Homologous Data Analysis found that the ransomware attack was in much the same way as the code involved, as the previous team of shadow hackers focused on mining. The hacker team’s usual tactic is to use BT downloaders and activation tools to spread the virus, which has previously been spread with the Eternal Blue vulnerability. The PowerShell download module is executed after the user’s computer is infected, and then the mining module is released, but this time the back door module and ransomware are released. Tencent’s Royal Threat Intelligence Center has previously monitored several times when the team released mining modules using the processors of users’ computers to mine XMR Menro and PASC coins.

Look at the shabby but very aggressive:

When I first saw the ransomware interface, Blue Dot skilled at one point, because the interface is similar to WannaCry and the interface has a fat picture. But from the current security expertanalysis analysis, this ransomware is not a hoax, because its purpose is obvious and very aggressive and use a variety of attack methods. The main execution path is to spread the virus through a network channel, then load the virus through the PowerShell downloader, and eventually the virus releases the ransomware.

But that’s not all about this ransomware, and analysis has found that the ransomware also has a built-in Eternal Blue module that will infect the network if the system is not patched. In addition, the ransomware also has a well-known file indexing tool, Everything, which provides HTTP to turn your computer into a file server. The goal of the attacker is to install the indexing tool to turn the user’s computer into a file server, making it easier for the attacker to use the user’s computer to spread trojan viruses on a new computer.

From this path, it’s natural for an attacker to develop this ransomware, otherwise it wouldn’t be so painstaking to take advantage of multiple steps in the hope of enhancing propagation. Here also need to emphasize that the current user to see the interface is the first diagram of this article, in fact, is not a virus but the attacker left a tool dedicated to decryption. An analysis by The Fire Velvet Security Lab found that the tool was not harmful and was used to unlock encrypted files only after the user had entered the key after the user paid a ransom to obtain the key.

Sudden burst of ransomware WannaRen trace analysis toss a circle as if no one paid the ransom

The main means of communication seem to be domestic download sites:

A new traceability analysis report released by Firevelvet Security Lab shows that a well-known open source editor was found in the sisi software park, a domestic download site. And in this drug-carrying open source editor download ranked first, I believe that many users through some search engines for search download accidentally entered the drug download site. Of course, this also proves that the source of these download sites software is not the official website of the software, no one knows where they crawled the package, regardless of whether or not there is a virus. For users, we still recommend that we download the software as far as possible to the software official website download, if from some search engines, most of the garbage download site.

The basic sit-in is the work of domestic attackers:

The main point of which is that the shadow hacker team is a long-time domestic hacker team that is based on a variety of data. The code homologous analysis shows that WannaRen is very similar to the code and attack techniques used by the shadow hacker team, and it can be determined that Shadow is its developer. Second, according to the fire velvet security laboratory engineers analysis of the attackers use is actually easy language, using easy language for development can basically exclude foreign attackers. Finally, the ransomware is only spread in the country, Blue Dot has contacted a number of foreign security sites, the answer is that no user feedback infected with this virus. From this information, it is basically possible to judge that WannaRen was the work of domestic hackers, and of course it is only a judgment that can not ensure 100 percent accuracy.

Sudden burst of ransomware WannaRen trace analysis toss a circle as if no one paid the ransom

Tossing a circle as if no one would pay the ransom:

Finally, for ransomware Blue Dot network also routinely go to the block browser to query the attacker’s income, by the time this article was published, WannaRen did not seem to have received a ransom. Because the attacker’s bitcoin account currently receives only 0.00009490 bitcoins, at the current market price of only 4.87 yuan is about zero. Among them, bc1qnfhg3r 5ywnzumkncavncav4nsk 7lqe 9pnph2tcjg0 address to the attacker’s account to remit 0.00004116 bitcoins about 2.1 yuan. The total amount of bc1q8v?9etw and bc1qe?wd2 accounts remitted 0.00005374 Bitcoins to the attacker, which is well below the 0.05BTC of the ransomware. Given the low amount of money sent, it is estimated that the big man would have been too bored to play the attacker with a small transfer trick if it had not been for the attacker’s own transfer test. Of course, finally, remind everyone to pay attention to the daily security precautions, but if it is really unfortunate to be infected do not pay a ransom, lest encourage the extortion of software developers.