WannaRen Returns as Life Ransomware, Targets India

Published by
Blog of Innovation Staff

Although not as well-known as ransomware families such as RyukREvil, or Maze, WannaRen ransomware made a name for itself back in 2020 after it launched attacks against Chinese internet users, infecting tens of thousands of victims. However, it has become relatively quiet since that attack, with the ransomware’s authors even sharing its private encryption key to a security company in August 2020.

In October 2022, we discovered what we initially thought to be a new ransomware, only to analyze it and discover that this may be a resurgence of the dormant WannaRen. This blog entry looks at the characteristics of this new variant, which we named Life ransomware after its encryption extension. Unlike the 2020 WannaRen ransomware attacks that previously targeted China and Taiwan, the attacks from the new variant targeted organizations in India.

The 2020 variant of the WannaRen ransomware was distributed as a malicious PowerShell code bundled with activation tools. The script then obtained a PowerShell downloader which connected to a link to retrieve the malicious ransomware modules. Unlike its previous version, this new variant uses a batch file to download and execute WINWORD.exe to perform DLL side-loading and load the ransomware in memory.


We first discovered the infection under the process of a non-malicious executable WINWORD.exe (the executable file of Microsoft Word). However, further investigation revealed that this infection was a multi-component malware that abuses WINWORD.exe for malicious DLL sideloading. Furthermore, the actual ransomware is also dropped into the system as an encrypted file, with the attackers using command-line arguments supplied to WINWORD to fetch the ransomware. 

Note, however, that incorporating this set of routines in a ransomware attack is not new; we have seen similar approaches in execution by more prominent groups such as LockBit.

Innovation Newsletter
Don't miss the most important news about Innovation. Sign up to receive them by email.

WannaRen is also known to have mimicked certain aspects of WannaCry, particularly in its delivery method. It has been observed in the past using trojanized installers and abusing exploits such as EternalBlue for delivery.  (as homage to , which is also where its name was coined after). And after a long hiatus it is back with some new tricks added in its arsenal. Towards the end of October, we even found variants abusing NTSD.exe instead.

Read more Read More 

Innovation Newsletter
Don't miss the most important news about Innovation. Sign up to receive them by email.

Recent Posts

Introducing BypassAI: A Revolutionary Undetectable AI Writer and Your Secret Weapon to Bypass AI Detection

NEW YORK, N.Y. and SINGAPORE, Sept. 26, 2023 (SEND2PRESS NEWSWIRE) — The recent release of… Read More

13 hours ago

Unveiling BypassGPT – The Ultimate AI Content Rewriter to Bypass AI Detection

NEW YORK, N.Y. and SINGAPORE, Sept. 26, 2023 (SEND2PRESS NEWSWIRE) — BypassGPT, a progressive leader… Read More

14 hours ago

Makkpress Technologies Marks a Decade of Innovation and Client Success

Makkpress Technologies, a distinguished leader in the technology and digital solutions industry, is delighted to… Read More

1 day ago

Introducing Casepacer: Cutting-Edge Legal Case Management Software

Casepacer LLC., a trailblazing leader in legal technology, is thrilled to announce the launch of… Read More

1 day ago

Semaglutide Injections, IV Hydration, and the Visionaries at Drip Docx: Navigating the Next Generation of Wellness

​​Alexandria, VA - (NewMediaWire) - September 25, 2023 - As the health and wellness industry… Read More

1 day ago

Neo-Bionica Appoints Uli Gommel As Chief Technology Officer

LOS ANGELES, Calif., Sept. 25, 2023 (SEND2PRESS NEWSWIRE) — Neo-Bionica, a leading innovator in the… Read More

2 days ago