The Latest on WannaCry, UIWIX, EternalRocks and ShadowBrokers

Email isn't as safe as you think it is.

Ransomware has gained global attention over the course of the last two weeks due to the huge spread of WannaCry. Following the initial attacks, we’ve seen UIWIX, Adylkuzz and now EternalRocks come onto the scene leveraging the same core set of vulnerabilities.

The common thread between the three threats is MS17-010 along with other tools and vulnerabilities released by Shadow Brokers. These attacks are not only exploiting vulnerabilities in systems, but also taking advantage of fundamental struggles faced by all organizations with patch management and system upgrades. Let’s look at the impact and consider why these threats are occurring.

But first, here’s a quick look at the comparison between WannaCry, UIWIX and EternalRocks:

WannaCry UIWIX EternalRocks
Attack Vectors SMB vulnerabilities (MS17-010), TCP port 445 SMB vulnerabilities (MS17-010), TCP port 445  SMB vulnerabilities (MS17-010), five vulnerabilities and two tools, TCP port 445
File Type Executable (EXE) Dynamic-link Library (DLL) Executable (EXE)
Appended extension {original filename}.WNCRY ._{unique id}.UIWIX N/A
Autostart and persistence mechanisms Registry None Scheduled Tasks
Anti-VM, VM check, or anti-sandbox routines None Checks presence of VM and sandbox-related files or folders None
Network activity On the internet, scans for random IP addresses to check if it has an open port 445 (Propagation);  connects to .onion site using Tor browser (C&C Communication) Uses mini-tor.dll to connect to .onion site (its C&C) to send encrypted information and gathered information (C&C communication) On the internet, scans for random IP addresses to check if it has an open port 445 (Propagation) ;  connects to .onion site using Tor browser (C&C communication)
Exceptions (doesn’t execute if it detects certain system components) None Terminates itself if found running in Russia, Kazakhstan, and Belarus N/A
Exclusions (directories or file types it doesn’t encrypt) Avoids encrypting files in certain directories Avoids encrypting files in two directories, and files with certain strings in their file name N/A
Network scanning and propagation Yes (worm-like propagation) No Yes (worm-like propagation)
Kill switch Yes No N/A
Number of targeted file types 176 All files in the affected system except those in its exclusion list N/A
Shadow copies deletion Yes No N/A
Languages supported (ransom notes, payment site) Multilingual (27) English only N/A


The impact

At last count, WannaCry alone had infected 230,000 users in some 150 countries. Given the massive spread and variety of these malwares, however, the payout so far has only been about $110,000. This demonstrates that the largest impact wasn’t financial, but physical. Organizations in some industries, including healthcare, were forced to shut down their systems to stop the malware propagation. This brings a digital threat into the physical world and gives real world impact to these attacks.

However, EternalRocks doesn’t drop any malicious payload. Despite leveraging five vulnerabilities and two reconnaissance tools, it doesn’t leave any malicious content behind. It does leverage the DoublePulsar exploit which allows a backdoor into the infected system, likely for later use by the threat actors.

Why are they doing it?

When threat actors get into a system and don’t drop a malicious payload, it brings up the potential that they’re leaving behind something else in turn. It’s possible that the attackers are preparing the network for future use. It could also be a distraction while other vulnerabilities are being exploited while no one is watching.

The first line of defense for all of these threats is to patch your systems against all of the vulnerabilities disclosed by ShadowBrokers. Trend Micro offers a variety of solutions, support and tools to help organizations protect against and respond to these threats. Learn more about the latest threats and how to prepare on today’s webinar at 12 p.m. Central time.

Leave a Reply