Although not as well-known as ransomware families such as Ryuk, REvil, or Maze, WannaRen ransomware made a name for itself back in 2020 after it launched attacks against Chinese internet users, infecting tens of thousands of victims. However, it has become relatively quiet since that attack, with the ransomware’s authors even sharing its private encryption key to a security company in August 2020.
In October 2022, we discovered what we initially thought to be a new ransomware, only to analyze it and discover that this may be a resurgence of the dormant WannaRen. This blog entry looks at the characteristics of this new variant, which we named Life ransomware after its encryption extension. Unlike the 2020 WannaRen ransomware attacks that previously targeted China and Taiwan, the attacks from the new variant targeted organizations in India.
The 2020 variant of the WannaRen ransomware was distributed as a malicious PowerShell code bundled with activation tools. The script then obtained a PowerShell downloader which connected to a link to retrieve the malicious ransomware modules. Unlike its previous version, this new variant uses a batch file to download and execute WINWORD.exe to perform DLL side-loading and load the ransomware in memory.
We first discovered the infection under the process of a non-malicious executable WINWORD.exe (the executable file of Microsoft Word). However, further investigation revealed that this infection was a multi-component malware that abuses WINWORD.exe for malicious DLL sideloading. Furthermore, the actual ransomware is also dropped into the system as an encrypted file, with the attackers using command-line arguments supplied to WINWORD to fetch the ransomware.
Note, however, that incorporating this set of routines in a ransomware attack is not new; we have seen similar approaches in execution by more prominent groups such as LockBit.
WannaRen is also known to have mimicked certain aspects of WannaCry, particularly in its delivery method. It has been observed in the past using trojanized installers and abusing exploits such as EternalBlue for delivery. (as homage to , which is also where its name was coined after). And after a long hiatus it is back with some new tricks added in its arsenal. Towards the end of October, we even found variants abusing NTSD.exe instead.
Read more Read More
BlogofInnovation.com
DALLAS, TX- (NewMediaWire) - April 27, 2024 — At an event today featuring the NFL’s Smart Heart Sports Coalition, Buffalo…
Japan Int’l Food & Beverage Expo (JFEX) is gearing up to host an unprecedented gathering of over 900 exhibitors and…
The Synaptic Surgical platform empowers customers to visualize and bring to life cutting-edge OR design and technology Synaptic Surgical (ISIN:…
SPRING, Texas, April 26, 2024 (SEND2PRESS NEWSWIRE) — Houston, we don’t have a foot care problem — now that Modern…
BISMARK, N.D., and MOUNTAIN VIEW, Calif., April 26, 2024 (SEND2PRESS NEWSWIRE) — Imagine notarizing documents from the comfort of your…
IRVINE, Calif., April 26, 2024 (SEND2PRESS NEWSWIRE) — Informative Research, a leading technology platform that delivers data-driven solutions to the lending…
