Hidden Shadow cybercriminal gang backs off and releases keys for WannaRen ransomare
Bitdefender security researchers announced on August 19th that they are releasing a working decryption tool for WannaRen ransomware, which has been actively spreading across China and Taiwan, infecting corporations, businesses, and regular consumers. The reason for their success: malware developers released keys for free after an unpredictable spread of the cryptovirus.
First spotted in April 2020 by 360 Total Security researchers, WannaRen ransomware was confirmed to be a work of Hidden Shadow cybercriminal organization, which was previously known to own a crypto-mining botnet for profits. With ransomware, threat actors attempted to infect a moderate number of victims for monetization purposes (they asked for 0.5 Bitcoin for data decryption).
However, the plan did not go as expected, as WannaRen ransomware spread went out of control, infecting thousands of users and corporate networks in China and Taiwan. Creating massive attention from security firms and law enforcement, cybercriminals decided to give up the keys and let everybody infected to recover the data for free.
WannaCry, WannaRen, and unexpected havoc caused
The name of ransomware, WannaRen, is not the only similarity that unites it with WannaCry,, which was created by North Korean government-backed cybercriminals. The latter is well-known for a worldwide outbreak back in 2017, when more than 200,000 computers and workstations of regular consumers, businesses, and high-profile government institutions were locked. The crisis was stopped by Marcus Hutchins, who created a “kill switch” for malware, although the outbreak resulted in billions of dollars of damages overall.
Criminals behind WannRen also utilized the EternalBlue vulnerably for lateral propagation. From there, cybercriminals would launch the file encryption process, which would show a pop-up message that demanded a ransom to be paid in Bitcoin for the data recovery tool.
Both malware strains were created strictly for monetization purposes and were not intended to cause havoc. However, since ransomware leveraged EternalBlue vulnerability combined with clever use of installers that are forbidden in China, it spread much further than cybercriminals anticipated.
Clever use of the illegal-in-China Notepad++ installer allowed malware to spread like wildfire
Security researchers from 360 Total Security described Hidden Shadow as a small actor who has been active for years prior to the release of WannaRen. Criminals were previously distributing a number of different threats, including keyloggers, data-stealers, and, predominately, crypto-miners. Ransomware was one of the later choices by criminals, which was aimed at increased profits in the illegal malware business.
The Chinese government strictly controls the internet and does not allow apps that actively disagree with the regime – this was the main key to WannaRen's success, as the attackers used pirated software installers of source code editor NotePad++, the official website of which was inaccessible in China. Most victims got infected after downloading a modified installer via the XiXi Software Center website, which is considered to be one of the largest Chinese download sites.
Once inside the system, hackers would execute PowerShell commands to download a backdoor module on the infected system, which would allow them to exploit the EternalBlue, and infect corporate networks, encrypting everything on the way. Malware success was also impacted by the fact that Chinese users are very keen on using older computer systems that cannot be updated and patched, such as Windows 7 or Windows XP.
A free decryptor is available from Bitdefender
Cybersecurity researchers are known for a large arsenal of decryption tools that they created for prominent ransomware strains in the past, such as GandCrab. Since the firm managed to get a hold of the released keys by WannaRen actors, they compiled a working decryption tool that works for all versions of ransomware. Users who were infected and did not pay the ransom can now recover files for free.
Recovery tools are rare to come by, as they require either a bug within the encryption code or access to the cybercriminals' C&C servers. In some rare cases, threat actors also release the keys themselves, for one reason or another.
Users and companies should ensure that their systems are adequately protected by adequate security solutions and operating systems patched with the latest updates, as decryption tools are exceptionally rare.