WannaRen Returns as Life Ransomware, Targets India

Although not as well-known as ransomware families such as RyukREvil, or Maze, WannaRen ransomware made a name for itself back in 2020 after it launched attacks against Chinese internet users, infecting tens of thousands of victims. However, it has become relatively quiet since that attack, with the ransomware’s authors even sharing its private encryption key to a security company in August 2020.

In October 2022, we discovered what we initially thought to be a new ransomware, only to analyze it and discover that this may be a resurgence of the dormant WannaRen. This blog entry looks at the characteristics of this new variant, which we named Life ransomware after its encryption extension. Unlike the 2020 WannaRen ransomware attacks that previously targeted China and Taiwan, the attacks from the new variant targeted organizations in India.

The 2020 variant of the WannaRen ransomware was distributed as a malicious PowerShell code bundled with activation tools. The script then obtained a PowerShell downloader which connected to a link to retrieve the malicious ransomware modules. Unlike its previous version, this new variant uses a batch file to download and execute WINWORD.exe to perform DLL side-loading and load the ransomware in memory.


We first discovered the infection under the process of a non-malicious executable WINWORD.exe (the executable file of Microsoft Word). However, further investigation revealed that this infection was a multi-component malware that abuses WINWORD.exe for malicious DLL sideloading. Furthermore, the actual ransomware is also dropped into the system as an encrypted file, with the attackers using command-line arguments supplied to WINWORD to fetch the ransomware. 

Related Post

Note, however, that incorporating this set of routines in a ransomware attack is not new; we have seen similar approaches in execution by more prominent groups such as LockBit.

Innovation Newsletter
Don't miss the most important news about Innovation. Sign up to receive them by email.

WannaRen is also known to have mimicked certain aspects of WannaCry, particularly in its delivery method. It has been observed in the past using trojanized installers and abusing exploits such as EternalBlue for delivery.  (as homage to , which is also where its name was coined after). And after a long hiatus it is back with some new tricks added in its arsenal. Towards the end of October, we even found variants abusing NTSD.exe instead.

Read more Read More 

Innovation Newsletter
Don't miss the most important news about Innovation. Sign up to receive them by email.

Recent Posts

Good heart health in middle age may preserve brain function among Black women as they age

​​Research Highlights: Middle-aged Black women with better heart health were less likely to show a decline in mental function compared…

8 hours ago

Revolutionizing Hydration: Alkaline Ionized Water Takes India by Storm

Alkaline ionized water is being widely used in India, signifying a new phase of hydration for consumers with health concerns.…

21 hours ago

MoogleLabs Newest Feat – AI-powered Offensive Language Detection Tool: SwearSwap

MoogleLabs is an organization that is consistently making waves in the world of AI and technology with its innovative solutions…

21 hours ago

iCoreConnect Inc. Announces New State Endorsement of Seven Solutions From the Tennessee Dental Association

​​New Endorsements Allows iCoreConnect New Entry Into the Tennessee MarketOCOEE, FL - (NewMediaWire) - April 23, 2024 - iCoreConnect Inc. (NASDAQ:…

21 hours ago

Ubiquitech Software Corporation Reports Total Convertible Debt Reduction in Excess of $1,700,000 During Past 12 Months

​​DENVER, CO - (NewMediaWire) - April 23, 2024 - Ubiquitech Software Corp. (OTC: UBQU), a trailblazer in innovative software development, is pleased…

1 day ago

Sunknowledge Celebrates 10 Years of Successful Partnership in Providing Medical DME Billing Solutions to Top DME Company in New York

NEW YORK, N.Y., April 23, 2024 (SEND2PRESS NEWSWIRE) — Sunknowledge, a leading provider of healthcare outsourcing solutions, proudly celebrates a…

1 day ago


Innovation Newsletter
Don't miss the most important news about Innovation. Sign up to receive them by email.