A major cybersecurity firm warns that another global cyber-attack on a scale that could dwarf last week’s WannaCry hack is underway.
The new attack targets the same vulnerabilities the WannaCry virus exploited but, rather than freeze files, it uses the hundreds of thousands of ‘slave’ computers to mine virtual currency.
After the WannaCry ransomware infected more than 300,000 computers worldwide in an unprecedented cyber-attack over the weekend, cyber-security firm Proofpoint discovered a new attack called Adylkuzz.
Ryan Kalember, senior vice president for cyber-security at Proofpoint, told US broadcaster ABC the Adylkuzz attack employed the same hacking tools developed by the US National Security Agency (NSA) and leaked to the public by the hacker group Shadow Brokers in April.
“I would say the real-world impact of this attack is going to be more substantial than WannaCry,” Mr Kalember said.
“Ransomware is painful, but you can restore operations relatively quickly. Here, you have a huge amount of money landing in some bad people’s hands. That has geopolitical consequences.”
Rather than demand a payment to unfreeze a disabled computer as WannaCry does, Adylkuzz makes no announcement when it invades computers.
Instead, the virus stealthily recruits infected computers into a network of ‘cryptocurrency’ miners that fill the hackers’ digital wallets with a secretive unit of exchange called Monero, Proofpoint says.
Proofpoint said that symptoms of the attack include loss of access to shared Windows resources and degradation of PC and server performance, effects which some users may not notice immediately.
“As it is silent and doesn’t trouble the user, the Adylkuzz attack is much more profitable for the cyber criminals. It transforms the infected users into unwitting financial supporters of their attackers,” Godier said.
Proofpoint said it has detected infected machines that have transferred several thousand dollars’ worth of Monero to the creators of the virus.
The firm believes Adylkuzz has been on the loose since at least May 2, and perhaps even since April 24, but due to its stealthy nature was not immediately detected.
“We don’t know how big it is” but “it’s much bigger than WannaCry”, Proofpoint’s vice president for email products, Robert Holmes, told AFP.
Britain’s National Health Service, US package delivery giant FedEx, Spanish telecoms giant Telefonica and Germany’s Deutsche Bahn rail network were among those hit.
While the rate of new infections has slowed, researchers at cybersecurity firm Check Point said the malware continues to spread rapidly.
And another expert added that despite a quick breakthrough that WannaCry to be slowed down, researchers don’t fully understand it.
“The problem is that we’re still not certain about the origin of the infections” as contrary to many previous attacks it wasn’t via emails which deceive users into installing the virus, said the expert on condition of anonymity.
More attacks could be soon be underway as the hacker group TheShadowBrokers that leaked the vulnerabilities used by WannaCry and Adylkuzz has threatened to publish more.
It said in a post it would begin providing information monthly by subscription in June, saying that in addition to Windows 10 vulnerabilities it would include “compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs”.