In April of this year, different chinese internet users were hitted by ransomware attacks. A ransomware organization also known as WannaRen made tens of thousands of victims including home consumers and local chinese companies.
Its code was loosely modeled after WannaCry, due to this fact the virality of WannaRen can be explained.
Just like their inspiration, the authors of the WannaRen ransomware added the EternalBlue exploit to their infection chain, which allowed WannaRen to spread without restrictions inside corporate networks.
And Just like WannaCry, WannaRen also spread like wildfire. WannaRen spread far beyond their planning and created more destruction than they expected. This all happened due to one reason, in the end malware’s authors provided the master decryption key for free, so all victims could recover their files.
A Korean Malware Group
In may 2017, WannaCry was started and after more than three years, we can say that it was created by North Korean government hackers.
It was created to infect a few victims, ransom their files and use the ransom payments to raise funds for the Pyongyang regime. Authors of WannaCry didn’t have big ambitions and creating a global outbreak was never their intent.
However, we can say something similar for the authors of the WannaRen ransomware. Chinese Antivirus maker Qihoo 360 said that this group was tracking under the name of Hidden Shadow.
This group is described as a small-time threat actor. The group has been active for years and being involved in the distribution of an assortment of malware strains.
WannaRen was added to the group’s weapons used for ransom attack and added into their distribution routine on April 6 of 2020.
Different sources stated that WannaRen’s initial point of distribution was a modified installer for the notepad++ text editor. This was shared via the Xixi Software Center.
Due to the software maker’s anti-chinese stance, access to the official Notepad++ download site is often blocked in China and because Xixi is one of China’s largest software download sites, so they infect it with WannaRen.