Tuesday, January 26, 02:29
Home security WannaRen ransomware: The developers provided the decryption key

WannaRen ransomware: The developers provided the decryption key

WannaRen ransomware

In April, Chinese users had been attacked by a ransomware known as WannaRen. This ransomware has attacked tens of thousands household users and companies in China and Taiwan within a week.

The success of WannaRen may be due to the fact that its code has something to do with it WannaCry, the ransomware that caused chaos in May 2017 worldwide.

The creators of WannaRen ransomware (as well as WannaCry) have integrated EternalBlue exploit into their infection chain, allowing WannaRen to spread unrestricted across corporate networks before the ransom message is encrypted and displayed.

Like WannaCry, WannaRen spread like wildfire, far beyond what ransomware creators had sought, creating more disaster than they expected. Thus, the creators of the malicious program gave the master decryption key so that all victims be able to retrieve their files.

Hidden Shadow group

Now, we can say with certainty that WannaCry ransomware was created by North Korean government hackers, who wanted to infect some victims, to get ransom and use the funds for the Pyongyang regime. The authors of WannaCry did not want to cause this mess, as this resulted in all the attention being focused on them.

Something similar can also be said about the authors of WannaRen ransomware, a group that the Chinese company protection from viruses Qihoo 360 has named Hidden Shadow.

The team has been active for years distributing a variety of malware (keyloggers, trojans, cryptocurrency-mining malware) usually through pirated software download sites.

WannaRen ransomware went live on April 4 this year.

According to many sources, the original distribution point of WannaRen was one modified installer for Notepad ++ word processor.

Thousands of Chinese usersVictims have been seeking help decrypting their files on Chinese forums, social networks and online chats since the first day of WannaRen ransomware infections.

WannaRen ransomware is spreading to networks

The victims were both home users and IT users staff which manages corporate networks (in which WannaRen was particularly aggressive).

Method of infection

On computers where users installed this infected version of Notepad ++, the installer installed a backdoor trojan, developed by EternalBlue exploit to spread on the network (via SMBv1). He also used one PowerShell script to download and install WannaRen ransomware or a Monero-mining malware.

After the systems were encrypted, a message appeared depicting him Kim Jong-un of North Korea and asked them users to pay 0,05 bitcoin (~ $ 550) to decrypt their files.

The ".wannaren" extension was added to the encrypted files.

The creators of WannaRen ransomware give the decryption key

From the distribution method and the small ransom, it was clear that the Hidden Shadow team did not intend to spread the ransomware so quickly and target so many victims.

A few days after the launch of the WannaRen ransomware distribution, the Hidden Shadow team contacted a local Chinese cybersecurity company called Huorong Security (绒 绒 or Tinder Security) and gave the ransomware private encryption key, asking the company to create and share a free decryption program for victims.

On the same day, April 9, Huorong released the WannaRen ransomware decryption program. Later, a tool was released by QiAnXin Technology RedDrip.

However, while the vast majority of WannaRen victims were in China, ransomware had spread through internal networks from Chinese subsidiaries to some foreign countries. Companies.

Many of these companies may not be aware that there is a free decryption tool, or they may not trust the tools created by the two Chinese security vendors. For this reason, the Romanian company Bitdefender has also released its own decryption utility.

WannaRen infections seem to be gone, but victims may be encrypted archives from April they can now decrypt them for free.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortresshttps://www.secnews.gr
Pursue Your Dreams & Live!



COVID-19 vaccines: Ways to protect supply chains

The development of vaccines for COVID-19 in such a short period of time has created many challenges and these are not only related to ...

How do insurance companies "enhance" ransomware attacks?

Ransomware attacks have increased significantly, with experts warning that their victims should not pay ransom to hackers ....

Russia: "US may be planning retaliation for SolarWinds hack"!

The Russian government warns the country's organizations about possible cyber attacks that the US may carry out, as "retaliation" for the hack ...

iPhone: How to see which apps have access to your contacts

Some iPhone privacy issues go deeper than accessing your contacts list, which exposes your contacts to ...

COVID-19: Google makes vaccination clinics available

Google CEO Sundar Pichai said Monday that the company will make its facilities available to become clinics ...

Netflix offers "studio quality" audio upgrade on Android

Do not be surprised if Netflix sounds better the next time you run a marathon with rows on your Android phone ...

Will Bitcoin return to $ 40.000? There is concern!

Bitcoin lovers who take his return above the level of $ 40.000 for granted have been worried because the demand ...

Avaddon ransomware: Its operators threaten with DDoS attacks to get ransom!

Lately, more and more ransomware gangs tend to threaten their targets with DDoS attacks in order to secure profits ....

Volunteer firefighters will be trained through VR simulation

Volunteer firefighters in the Australian state of Victoria will soon have access to the virtual reality (VR) training that will be available in ...

Tesla: Accuses its former employee of stealing her confidential data!

On January 23, Tesla sued former employee Alex Khatilov for stealing 26.000 confidential documents, including trade secrets. The software ...