Technology

WannaRen Returns as Life Ransomware, Targets India

Although not as well-known as ransomware families such as RyukREvil, or Maze, WannaRen ransomware made a name for itself back in 2020 after it launched attacks against Chinese internet users, infecting tens of thousands of victims. However, it has become relatively quiet since that attack, with the ransomware’s authors even sharing its private encryption key to a security company in August 2020.

In October 2022, we discovered what we initially thought to be a new ransomware, only to analyze it and discover that this may be a resurgence of the dormant WannaRen. This blog entry looks at the characteristics of this new variant, which we named Life ransomware after its encryption extension. Unlike the 2020 WannaRen ransomware attacks that previously targeted China and Taiwan, the attacks from the new variant targeted organizations in India.

The 2020 variant of the WannaRen ransomware was distributed as a malicious PowerShell code bundled with activation tools. The script then obtained a PowerShell downloader which connected to a link to retrieve the malicious ransomware modules. Unlike its previous version, this new variant uses a batch file to download and execute WINWORD.exe to perform DLL side-loading and load the ransomware in memory.

Analysis

We first discovered the infection under the process of a non-malicious executable WINWORD.exe (the executable file of Microsoft Word). However, further investigation revealed that this infection was a multi-component malware that abuses WINWORD.exe for malicious DLL sideloading. Furthermore, the actual ransomware is also dropped into the system as an encrypted file, with the attackers using command-line arguments supplied to WINWORD to fetch the ransomware. 

Related Post

Note, however, that incorporating this set of routines in a ransomware attack is not new; we have seen similar approaches in execution by more prominent groups such as LockBit.

Innovation Newsletter
Don't miss the most important news about Innovation. Sign up to receive them by email.

WannaRen is also known to have mimicked certain aspects of WannaCry, particularly in its delivery method. It has been observed in the past using trojanized installers and abusing exploits such as EternalBlue for delivery.  (as homage to , which is also where its name was coined after). And after a long hiatus it is back with some new tricks added in its arsenal. Towards the end of October, we even found variants abusing NTSD.exe instead.

Read more Read More 

BlogofInnovation.com 

Innovation Newsletter
Don't miss the most important news about Innovation. Sign up to receive them by email.

Recent Posts

NFL s Tennessee Titans add lifesavers to the chain of survival in 20 Nashville schools

​​NASHVILLE, Tenn., Dec. 11, 2024 — Representatives from 20 local Metro Nashville Public Schools (MNPS) joined the American Heart Association…

4 hours ago

Edupoint Honors Northshore School District (Wash.) as the Company’s 9th Annual ‘Partner for Life’

MESA, Ariz., Dec. 11, 2024 (SEND2PRESS NEWSWIRE) — Edupoint® Educational Systems, creator of the industry-leading Synergy® Education Platform for K-12…

5 hours ago

ABVC BioPharma Secures $200,000 in First Cash Licensing Payment From Oncology Products Partner, Totaling $546,000 From Three Partners

​​FREMONT, Calif. - (NewMediaWire) - December 11, 2024 - ABVC BioPharma, Inc. (NASDAQ: ABVC), a clinical-stage biopharmaceutical company advancing therapeutic solutions…

7 hours ago

HitPaw VikPea V4.0.0 Released with Major Updates including AI Color Module

NEW YORK, N.Y., Dec. 10, 2024 (SEND2PRESS NEWSWIRE) — HitPaw, a leading software company, is excited to announce the new…

23 hours ago

Empowering Businesses and Notaries to Expand Their Reach with Cutting-Edge RON Technology

DALLAS, Texas, Dec. 10, 2024 (SEND2PRESS NEWSWIRE) — ProNotary, a pioneering force in the remote online notarization (RON) industry, today…

24 hours ago

Prevention, life-saving therapies, anti-obesity meds top 2024 heart, stroke research news

​​DALLAS, Dec. 10, 2024 — Progress in assessing cardiovascular risk and identifying early prevention opportunities, improvements in treating heart failure,…

1 day ago

Seguici

Innovation Newsletter
Don't miss the most important news about Innovation. Sign up to receive them by email.