WannaMine, unlike the traditional ransomware, is a portmanteau word that refers to a malware family that combines the network spreading capabilities of WannaCry to deliver cryptomining malware rather than ransomware. Crypto-mining is a technique used by crooks to covertly use the processing power of several computer systems to do the necessary calculations for generating cryptocurrencies such as, Monero, Bitcoin or Ethereum.

Crooks with a criminal intention to cryptomine, illegally install cryptominers within the target network thereby stealing computer resources to produce enough processing power to generate their money.

The Wannamine malware can only affect Windows OS computers. Although there have been instances where phones were used to carry out a test to perform crypto-mining. The phone batteries end up bulging out due to overheating supplementing the claim that Wannamine malware cannot run on phones – it attacks only Windows computers in the network.

Nevertheless, if the Wannamine malware can penetrate a network, concerns should be raised as other malwares such as ransomwares can also penetrate the network. An attacker may create a backdoor after a successful entry into the system to ease subsequent future entries. The path of one attacker may open doors to other network infections.

Adyllkuzz was the first discovered malicious cryptocurrency miner that exploits the ETERNALBLUE vulnerability. However, Wannamine uses more sophisticated techniques and is characteristically hard to detect using an antivirus because it is ‘fileless’ while Adyllkuzz downloads an application to the victim computer. Wannamine merely takes advantage of Windows computer tools found to work.

Recommendations

  1. Patch Windows Systems in the network: Patching the computer systems in your infrastructure for the ETERNALBLUE vulnerability will prevent the Wannamine infection from penetrating your environment. Microsoft released the MS17-010 patch for this vulnerability.
  2. Use strong passwords: If the systems have been patched for the ETERNALBLUE vulnerability, the Wannamine malware will attempt to spread through Bruteforce attempts using password cracking tools. Weak password can be cracked and spread to.
  3. Deploy Intrusion Detection Systems: Deploy Intrusion Detection Systems (IDS) to detect Wannamine penetrations on the network before it spreads to other network computer systems. The Blacksentry USM delivers built-in intrusion detection systems as part of an all-in-one unified security management console. It includes built-in host intrusion detection (HIDS) as well as network intrusion detection (NIDS), enabling you to detect threats as they emerge in your infrastructure. To ensure that you are always equipped to detect the latest emerging threats, it delivers continuous threat intelligence with updates on threat signatures directly to the USM platform. The HIDS and NIDS both work to detect intrusion on the host and network respectively.

-Lois Eko (Blacksentry)