Adylkuzz hack, called larger than WannaCry, slows computers across the globe

istockphoto

Many computers and servers around the world whose owners believed they were operating slowly on Friday because of the WannaCry ransomware attack, were actually victims of another insidious hack, according to the security company Proofpoint. It says the computers were infected with malware called Adylkuzz which turned them into an unwitting army of computer "miners" working to create and funnel large sums of digital currency, likely destined for dark web markets.

The California-based security company says this malware took advantage of the same National Security Agency-developed tools that drove Friday's unprecedented WannaCry ransomware attack, possibly causing more damage.

WannaCry leveraged exploits stolen from the NSA to lock the computer systems of hundreds of thousands of companies, ranging from hospitals to car manufacturers, and hold their data for ransom. Adylkuzz uses the same exploits to install malware on computers, but instead of locking them, it operates in the background, stealing computer power (and slowing the device) while "mining" for the virtual currency Monero.

Ryan Kalember, the senior vice president of cybersecurity strategy at Proofpoint, said many people impacted by Adylkuzz may not notice the toll it's taking on their computers immediately. Virtual currencies — such as Bitcoin, the most well-known — are "mined" by computers and servers, typically with the owner's knowledge. In this case, computers around the world are being forced to "mine" for Monero, which is most known for its ability to protect anonymity. Monero is the currency of choice on AlphaBay, a dark web market trafficking in drugs, stolen credit card information and other illicit goods.

"It's throwing massive computational power at it, so it's using those computers to create hundreds of thousands, if not millions of dollars worth of dark web currency," Kalember said. "They're basically making a bunch of dark money for some very bad people."

Kalember said Proofpoint has identified 20 servers around the world that are "essentially hunting for vulnerable computers to do the mining."

Riccardo Spagni, who is a member of Monero's Core Team, which oversees ongoing development, maintenance, and research for the project, said the makers of the currency can't stop Adylkuzz.

"You asked what are we trying to do about it? And the answer is nothing, because there is nothing we can do about it," Spagni said in a phone call with CBS News. "The thing with most projects of this nature is you can't stop anyone from using it, and that's obviously a good and bad thing. It's not that we particularly want Monero to be associated with malware, but it kind of is what it is." 

Spagni said Monero's anonymity protections means those running the system can't differentiate between computers that are "mining" voluntarily, and those that have been hijacked.

"There's no way from a system perspective to know what is a legitimate miner and what isn't," he said. 

Spagni, who is based in South Africa, defended the use of anonymous currencies like Monero.

"Like with any tool it could be used for good purposes or nefarious. If it's a hammer or an automobile, you wouldn't blame the inventor when users are up to no good," Spagni said.

Proofpoint traces the Adylkuzz hack back to at least May 2 — 10 days before the WannaCry attack — but says it may have originated as early as April 24. Both Adylkuzz and WannaCry take advantage of a vulnerability in Microsoft Windows. The company released a patch for the vulnerability on March 14, but it was not highly publicized until WannaCry hit and did not fix the vulnerability in certain older versions of Windows. The company took the unusual step on Friday of releasing a separate patch for unsupported older versions of Windows.

While WannaCry gains access to vulnerable computers after users click infected links, Adylkuzz employs at least 20 servers around the world that are constantly scanning for computers that haven't been patched, and are therefore susceptible to the malware, according to Proofpoint. It can target vulnerable computers without the owner having to click.

Both Kalember and Spagni say the only way users can stymie the attacks is to install the patch, which can be downloaded from this Microsoft web page.

"You might forget about your patches, or you think you're just not computer savvy. Just think that you can help prevent people who, best-case scenario, are organized crime, worst-case scenario (work for) some nation-state that obviously doesn't have the best interests of the U.S. in mind," Kalember said.


Got news tips about digital privacy, cybercrime or the intelligence community? Email this reporter at KatesG@cbsnews.com, or for encrypted messaging, grahamkates@protonmail.com (PGP fingerprint: 4b97 34aa d2c0 a35d a498 3cea 6279 22f8 eee8 4e24).

  • Graham Kates

    Graham Kates is an investigative reporter covering criminal justice, privacy issues and information security for CBSNews.com.