Skip to main content

How to protect your computer from the WannaMine malware

After the WannaCry ransomware, now we have the WannaMine malware. WannaMine is a fileless malware that infects Windows-based computers with the purpose of using the computer’s resources, such as CPU and RAM to mine a cryptocurrency called Moreno. Any coins mined will be transferred to the developers of this malware. It uses the same exploit developed by NSA, called EternalBlue that was used for the WannaCry ransomware.
Panda Security was the first to discover this malware several months ago. Both Sophos and Panda claim to protect against this malware, but you need to also ensure you're taking the necessary steps to protect your computer against this attack.
The way this malware works is it uses the SMB protocol on port 445 and sets a WMI permanent event subscription that executes a PowerShell command every 90 minutes. This can affect Windows operating systems as early as Windows 2000, including Windows 10 and Server editions.

If the EternalBlue exploit is patched, then it uses the MimiKatz to acquire credentials (logins and passwords) of the machines in order to gain access to the machine’s resources.

The fact that it uses built-in Windows tools to steal your resources, meaning it doesn't need a separate file to do its job, means that it is almost impossible to detect and remove it.

How do you know if you have the WannaMine virus?

Here's what to look for:
  • Slow computer or completely unusable
  • Apps crashing or not opening
  • High percentage of used CPU and RAM resources for countless hours, verified by Task Manager
  • Fans running loud all the time
  • Overheating
  • Battery draining on laptops
If left infected for a long time, severe damage of hardware can occur, so you need to be aware of the signs as well as take action immediately.

How can you prevent from getting infected?

Prevention is always better than the cure, especially with a difficult-to-detect malware such as this one.
  • Do not open suspicious emails or websites with pirated or indecent content
  • Use the Adblock Plus extension for your browser to prevent any pop-ups
  • Make sure you have the latest operating system and that Windows Updates are all current. Windows Vista and older versions are no longer supported by Microsoft, so it is highly recommended to upgrade your operating system if you are using an older operating system.
  • Download and install the Premium version of MalwareBytes Anti-Malware. The Premium version helps to prevent your browser from opening any websites that could be harmful, as well as block anything malicious from downloading.
  • Download and install either Panda or Sophos security package with real-time protection. You can also check online by searching with the keywords "wannamine" and your desired antivirus program to see if they have a fix for this malware.
  • Make sure you have a strong password for logging in to your computer.
  • Make sure System Restore is enabled and have a full backup on Cloud and / or an external drive of your files.

What to do if you are infected

  • Stop the network access to your computer to prevent further infection to other computers on your network.
  • Change your password.
  • Use MalwareBytes and your antivirus software to scan thoroughly for infections. Make sure they are updated and it’s best done in Safe Mode. Restart your computer at the end of the scan if they removed the infection and scan again.
  • Use the System Restore tool from Windows if the above method doesn’t work, to restore your computer to a date earlier than the time you got infected.
  • Format your computer if neither of the above work. Make sure you have a backup of your files on an external drive before proceeding. Use the Reset This PC option in Windows 10 with the option to keep your files, to see if that fixes the issue, otherwise use the other option that removes all files for a clean installation.
If the above methods seem tedious, or didn’t work, you need to take your computer to an expert, and as soon as possible, to prevent damage to the hardware. You can also find step-by-step guides on our blog or YouTube channel.

Disclaimer: The content provided in this article is for informational purposes only. You are solely responsible for verifying the information as being appropriate for your personal use.

Popular posts from this blog

Bullet Journal and Task Management in Obsidian (part 1)- Free Vault for download and Folder Structure

This is the vault in Obsidian that I use daily as a bullet journal and task manager. This is going to be a series of posts on explaining how I use this vault.   Download the full vault .zip file here . Extract it, save the folder to your desired location and then open it from Obsidian. If you just want the snippets, download the snippets .zip file here . Extract and paste the CSS snippets to your .obsidian/snippets folder (show hidden files and folders in your file explorer). For a list of the alternate checkboxes you can use, see here (you don't need the minimal theme, the CSS snippet I have enabled will work on any theme, even the default one): Folder Structure I have 3 parent folders: inbox - this is where I have Obsidian automatically store any new note I create journal - this is where I have Obsidian automatically store daily notes. I keep the current month in there, then when the month ends, I review and archive by month and y

How to rebuild cache and repair permissions of kexts in a Hackintosh

After installing 3rd-party kexts in /Library/Extensions, or replacing vanilla kexts with patched kexts in System/Library/Extensions, you may want to repair their permissions and rebuild the kext cache to ensure they work as intented. Here's how.

NVIDIA Web Drivers Mojave Workaround

It is still uncertain when will NVIDIA release any Web Drivers for macOS Mojave, but we can try a workaround.