Home Malware Programs Ransomware WannaRen Ransomware

WannaRen Ransomware

Posted: April 9, 2020

The WannaRen Ransomware is a file-locking Trojan that blocks users' data through the RSA and RC4 encryptions. The WannaRen Ransomware campaign has close ties to software piracy websites targeting Chinese users, although it also may circulate by exploiting the EternalBlue vulnerability. Users still should protect their work through remote, secure backups, and let anti-malware products delete the WannaRen Ransomware as it becomes necessary.

Collected Software and Leaked NSA Exploits Easing the Way for Trojans

File-locking Trojans that are outside of the most commonly encountered families like Hidden Tear and the STOP Ransomware are, often, little-known pet projects. They tend to have few features besides blocking files and dropping ransom notes. The WannaRen Ransomware, a recent sample collected from victims in China, offers a more-involved setup than most independents in the file-locker Trojan industry, including both multiple threats in its delivery mechanisms and more than one means of circulating.

The WannaRen Ransomware consists of multiple modules: the file-locking executable (a fake WinWord.exe service) - an unlocker or component that displays a ransoming pop-up and handles the decryption, a cryptocurrency miner, and a propagation component. The last of these files abuses the ShadowBroker-leaked EternalBlue SMB vulnerability for compromising at-risk systems over network connections. However, malware experts confirm that the primary means of the WannaRen Ransomware's installation is, likely, a very different, and more scheme-like, one.

Commonalities between scripted elements in samples suggest that the WannaRen Ransomware is infecting users who download pirated software and freeware from corrupted sites, such as the Xixi Software Center's installer for Notepad++. The campaign is, at this time, orienting itself towards Chinese victims in both the website content and the ransoming notes. Regrettably, the WannaRen Ransomware blocks files using a secure version of the RSA and RC4 encryptions that's not weak to standard, third-party decryption solutions.

Putting the Crunch of File-Ransoming Businesses

While the WannaRen Ransomware's pop-up may resemble WannaCry or WannaCryptor Ransomware, it has no coding-based links to that old Trojan. Some of its features are worth noting as behaviorally distinct from the norms of its industry, as well. The Trojan restarts the PC before, rather than after, locking files. It also targets an unusual set of formats, including more database and server-centric content than the usual pictures, document, and personal media.

In all cases, users should withhold the demanded Bitcoin ransom until after testing other options for data recovery, however slim. Windows users can render the EternalBlue feature irrelevant by keeping abreast of all security updates for their software, as well as using strong credentials for securing accounts. The value of a secure and remotely-saved backup also is inestimable against file-locking Trojans from any family.

Sufficiently credible anti-malware tools should block the installers for this threat or uninstall the WannaRen Ransomware from compromised Windows environments if it's needed. Users should ensure that they conduct file and system scans that are in-depth for isolating any remaining threats, such as the Trojan's crypto-miner sufficiently.

The WannaRen Ransomware is a revealing look at where the Chinese threat landscape is after the attacks of the 5ss5c Ransomware. The trend towards converting pirated software into Trojan installers can stop at any time but requires users willing to stop condoning downloading habits that put themselves, and their work, at considerable risk.

Loading...