Botnet using NSA's exploits could grow bigger than WannaCry

The Adylkuzz malware spreads the same way the WannaCry ransomware does, but it's sneakier.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read
Security researchers predict that this new malware will be bigger than WannaCry because it's much more stealthy.

Security researchers predict that this new malware will be bigger than WannaCry because it's much more stealthy.

Boris Roessler/Getty Images

The WannaCry ransomware hit the world in a frenzy, but the next wave of hacks using the same tactics is much quieter. And it's getting bigger, too.

Instead of serving ransomware and locking up computers while demanding victims pay up, Adylkuzz turns devices into slaves for its botnet army. Hundreds of thousands of infected computers are effectively turned into zombies mining for Monero, a cryptocurrency similar to Bitcoin, according to cybersecurity researchers at Proofpoint.

It spreads through EternalBlue, the same server messaging blocking exploit that WannaCry used -- a vulnerability first discovered by the US National Security Agency and leaked to the public by the hacker group Shadow Brokers. Once Adylkuzz is in a computer's system, it downloads instructions, a cryptominer and cleanup tools. Proofpoint has spotted attacks as early as April 24, but because of Adylkuzz's stealthy nature, it wasn't as obvious until after WannaCry's devastating ransomware surfaced.

The virus hides in the background, so most victims wouldn't even know they've been hacked. The symptoms include slowed down performance in PCs and loss of access to certain Windows resources. In one case, a hacker made up to $22,000 before the mining bot was booted.

"While an individual laptop may generate only a few dollars per week, collectively the network of compromised computers appears to be generating five-figure payouts daily," said Ryan Kalember, Proofpoint's senior vice president of cybersecurity strategy.

Security experts predict that Adylkuzz's spread will become even more rampant than WannaCry's.

"As disruptive as WannaCry has been to vulnerable organizations, more deadly attacks that don't announce their presence, like the cryptocurrency miner Adylkuzz, go undetected," said Brian Vecci from Varonis.

Like WannaCry, Adylkuzz also preys on outdated systems. Researchers recommend updating your computer to Microsoft's latest patches, and disabling your server message block service if you can't.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Life, disrupted: In Europe, millions of refugees are still searching for a safe place to settle. Tech should be part of the solution. But is it? CNET investigates.