In April, Chinese users had been attacked by a ransomware known as WannaRen. This ransomware has attacked tens of thousands household users and companies in China and Taiwan within a week.
The success of WannaRen may be due to the fact that its code has something to do with it WannaCry, the ransomware that caused chaos in May 2017 worldwide.
The creators of WannaRen ransomware (as well as WannaCry) have integrated EternalBlue exploit into their infection chain, allowing WannaRen to spread unrestricted across corporate networks before the ransom message is encrypted and displayed.
Like WannaCry, WannaRen spread like wildfire, far beyond what ransomware creators had sought, creating more disaster than they expected. Thus, the creators of the malicious program gave the master decryption key so that all victims be able to retrieve their files.
Hidden Shadow group
Now, we can say with certainty that WannaCry ransomware was created by North Korean government hackers, who wanted to infect some victims, to get ransom and use the funds for the Pyongyang regime. The authors of WannaCry did not want to cause this mess, as this resulted in all the attention being focused on them.
The team has been active for years distributing a variety of malware (keyloggers, trojans, cryptocurrency-mining malware) usually through pirated software download sites.
WannaRen ransomware went live on April 4 this year.
According to many sources, the original distribution point of WannaRen was one modified installer for Notepad ++ word processor.
Thousands of Chinese usersVictims have been seeking help decrypting their files on Chinese forums, social networks and online chats since the first day of WannaRen ransomware infections.
WannaRen ransomware is spreading to networks
The victims were both home users and IT users staff which manages corporate networks (in which WannaRen was particularly aggressive).
Method of infection
On computers where users installed this infected version of Notepad ++, the installer installed a backdoor trojan, developed by EternalBlue exploit to spread on the network (via SMBv1). He also used one PowerShell script to download and install WannaRen ransomware or a Monero-mining malware.
After the systems were encrypted, a message appeared depicting him Kim Jong-un of North Korea and asked them users to pay 0,05 bitcoin (~ $ 550) to decrypt their files.
The ".wannaren" extension was added to the encrypted files.
The creators of WannaRen ransomware give the decryption key
From the distribution method and the small ransom, it was clear that the Hidden Shadow team did not intend to spread the ransomware so quickly and target so many victims.
A few days after the launch of the WannaRen ransomware distribution, the Hidden Shadow team contacted a local Chinese cybersecurity company called Huorong Security (绒 绒 or Tinder Security) and gave the ransomware private encryption key, asking the company to create and share a free decryption program for victims.
On the same day, April 9, Huorong released the WannaRen ransomware decryption program. Later, a tool was released by QiAnXin Technology RedDrip.
However, while the vast majority of WannaRen victims were in China, ransomware had spread through internal networks from Chinese subsidiaries to some foreign countries. Companies.
Many of these companies may not be aware that there is a free decryption tool, or they may not trust the tools created by the two Chinese security vendors. For this reason, the Romanian company Bitdefender has also released its own decryption utility.
WannaRen infections seem to be gone, but victims may be encrypted archives from April they can now decrypt them for free.