Photo: YONHAP /AFP /Getty Images
A new type of malware is quietly spreading throughout computer systems that may hit more people than the large-scale ransomware attack that shut down machines around the globe Friday, cybersecurity firm Proofpoint said.
Called Adylkuzz, the computer virus runs silently in the background on computers, zapping their power to use for themselves, Proofpoint said in recently-published analysis. And so far statistics suggest it “may be larger in scale than WannaCry,” the report said. Instead of a flashy attack that locks a computer down and demands ransom like the WannaCry attack, Adylkuzz slows computer performance.
For now it’s unclear which regions have been hardest hit by the attack, but Moscow cybersecurity firm Kaspersky Lab said Wednesday most of the attacks it has found so far are in Russia.
Some researchers say Adylkuzz may spread farther than WannaCry, but most users won’t know that their computer’s been hijacked. Average home users, or small-to-medium-sized businesses are particularly vulnerable to this type of malware, said Brad Morrison, CEO of Innové, LLC in San Antonio.
“If you look at the general populace, I think that target demographic of older generations that may not be as computer savvy, there could be more issues there,” Morrison said. Innové is a technology and cybersecurity consulting provider that serves both the federal government and commercial critical infrastructure clients.
“Technology is moving so fast that there is always going to be a workaround by hackers to exploit technology,” Morrison said.
WannaCry hijacked a user’s computer and threatened to delete files unless a ransom was paid using Bitcoin, a form of digital currency that allows both parties to remain anonymous. When WannaCry began spreading rapidly last week, local firms were “on pins and needles seeing how it propagated,” said John Dickson, principal at San Antonio-based application security company Denim Group, Ltd.
And while his company didn’t get any reports from clients that WannaCry impacted them, he noted that “nobody in the IT world right now is doing a victory lap, because these things will mutate, these things will morph.”
“And we might have dodged a bullet here, but who knows,” he said.
Adylkuzz is different from WannaCry in that it is much more stealthy, with a different goal, McAfee Chief Technology Officer Steve Grobman said Wednesday via email. Adylkuzz allows hackers to hijack computing power from other systems to generate a type of digital currency called Monero, which is similar to Bitcoin.
“One difference between Adylkuzz and WannaCry is that it is advantageous for Adylkuzz to remain undetected and run as long as possible to maximize the amount of time a machine can be used for mining,” Grobman added via email. “This creates an incentive for the cybercriminals of Adylkuzz to cause minimal damage and fly under the radar whereas WannaCry loudly informs the user that a compromise has occurred and causes massive destruction to the data on a platform.”
WannaCry infected more than 300,000 computers in about 150 countries across the globe, Tom Bossert, assistant to the president for homeland security and counterterrorism, said on Monday. And Proofpoint says Adylkuzz has hit “hundreds of thousands of PCs and servers worldwide” so far.
Proofpoint also found in their analysis that the attack started before WannaCry: “at least on May 2 and possibly as early as April 24.” Adylkuzz “may have in fact limited the spread of last week’s WannaCry infection,” Proofpoint said.
To be sure, Kaspersky Lab said Wednesday that so far Adylkuzz “does not appear” to have infected as many systems as WannaCry. Kaspersky Lab said via email on Wednesday it is continuing to monitor the threat.
“The company has detected and blocked (Adylkuzz) attacks on 2,300 unique users during the last two weeks, most of them (70 percent) located in Russia,” the lab said in a statement via email. “Other affected countries include Ukraine, India, Brazil, Kazakhstan, Vietnam, Mexico, Tunisia, Italy and South Africa.”
Morrison surmised the U.S. had not seen the impact as much because its core information technology infrastructure is more advanced than other countries.
And Chris Gerritz, founder of San Antonio-based Infocyte, said via email that he thinks the impact of the attack will be limited compared to WannaCry, noting that “WannaCry denied use of 200,000-plus systems, including systems being used for surgeries.”
“Stealing people’s extra CPU cycles will likely not be noticed by most infected, and due to how far and wide it is spreading, it is well captured by the security community and industry, so mitigation is being implemented,” said Gerritz, who’s a retired Air Force officer. Gerritz implemented the branch’s first interactive defensive counter cyberspace practice.
While Morrison hadn’t personally seen the malware attack any of his clients, he said it’s another reminder that people and businesses should focus on updating their systems as fast as possible.
“Things like this are wakeup calls … you do kind of question: are people taking this serious or not?” he said, adding, “Is there a breaking point where people will finally say, yeah this is definitely something I need to pay more particular attention to?”
McAfee’s Grobman said WannaCry and the Adylkuzz attack “show how important security patches are in building and maintaining those effective defenses.”
The two recent attacks are the most recent reminders, he said, that the way companies analyze risk to decide whether to patch “needs to be rethought within organizations worldwide.”