Although not as well-known as ransomware families such as Ryuk, REvil, or Maze, WannaRen ransomware made a name for itself back in 2020 after it launched attacks against Chinese internet users, infecting tens of thousands of victims. However, it has become relatively quiet since that attack, with the ransomware’s authors even sharing its private encryption key to a security company in August 2020.
In October 2022, we discovered what we initially thought to be a new ransomware, only to analyze it and discover that this may be a resurgence of the dormant WannaRen. This blog entry looks at the characteristics of this new variant, which we named Life ransomware after its encryption extension. Unlike the 2020 WannaRen ransomware attacks that previously targeted China and Taiwan, the attacks from the new variant targeted organizations in India.
The 2020 variant of the WannaRen ransomware was distributed as a malicious PowerShell code bundled with activation tools. The script then obtained a PowerShell downloader which connected to a link to retrieve the malicious ransomware modules. Unlike its previous version, this new variant uses a batch file to download and execute WINWORD.exe to perform DLL side-loading and load the ransomware in memory.
We first discovered the infection under the process of a non-malicious executable WINWORD.exe (the executable file of Microsoft Word). However, further investigation revealed that this infection was a multi-component malware that abuses WINWORD.exe for malicious DLL sideloading. Furthermore, the actual ransomware is also dropped into the system as an encrypted file, with the attackers using command-line arguments supplied to WINWORD to fetch the ransomware.
Note, however, that incorporating this set of routines in a ransomware attack is not new; we have seen similar approaches in execution by more prominent groups such as LockBit.
WannaRen is also known to have mimicked certain aspects of WannaCry, particularly in its delivery method. It has been observed in the past using trojanized installers and abusing exploits such as EternalBlue for delivery. (as homage to , which is also where its name was coined after). And after a long hiatus it is back with some new tricks added in its arsenal. Towards the end of October, we even found variants abusing NTSD.exe instead.
Read more Read More
NEW YORK, N.Y. and SINGAPORE, Sept. 26, 2023 (SEND2PRESS NEWSWIRE) — The recent release of… Read More
NEW YORK, N.Y. and SINGAPORE, Sept. 26, 2023 (SEND2PRESS NEWSWIRE) — BypassGPT, a progressive leader… Read More
Makkpress Technologies, a distinguished leader in the technology and digital solutions industry, is delighted to… Read More
Casepacer LLC., a trailblazing leader in legal technology, is thrilled to announce the launch of… Read More
Alexandria, VA - (NewMediaWire) - September 25, 2023 - As the health and wellness industry… Read More
LOS ANGELES, Calif., Sept. 25, 2023 (SEND2PRESS NEWSWIRE) — Neo-Bionica, a leading innovator in the… Read More