WannaCry vs. Adylkuzz: who is ahead of whom?

Everyone is already aware of the many-sided extortionist virus WannaCry, also known as WanaCryptor, WanaCrypt0r, WCrypt, WCRY or WNCRY. This virus made a lot of noise, yes. Despite the lack of decoders, there are enterprising citizens who provide services for decrypting WNCRY files . But the post is not about that.

An unexpected statement was made recently by researchers from Proofpoint. It turns out that the WannaCry virus, although it became famous, was still not the first to actively exploit vulnerabilities in Windows using EternalBlue and DoublePulsar.

Yes, it was overtaken by the "silent" virus miner Adylkuzz, which used similar methods of spreading and infecting computers running Windows.
')
The researchers suggest that the spread of the Adylkuzz virus may be even more ambitious. According to their estimates, an active campaign to spread the malware took place from April 24 to May 2, 2017.

How did you catch Adylkuzz

During the research, the guys connected a computer vulnerable to EternalBlue to the Internet and waited for him to pick up WannaCry. But to their great surprise, the computer picked up an unexpected and less noisy guest - the virus miner Adylkuzz. The guys repeated the operation of connecting a clean computer to the Internet several times, the result is the same: after about 20 minutes it turned out to be infected with the Adylkuzz virus and connects to its botnet.

Apparently, the attack came from several VPS, which scan the Internet and search for targets with an open 445th port.

How is Adylkuzz spread

Once on the victim's computer, Adylkuzz scans the computer for its own copies, completes them, blocks SMB communications, determines the victim's public IP address, downloads instructions and a crypto miner. It looks like there are several virus management servers from where it loads instructions and the necessary modules.

And the miner Adylkuzz is not Bitcoin, but Monero . Like other cryptocurrencies, Monero increases its market capitalization in the mining process. Despite the fact that the virus does not require remuneration for decrypting files, but quietly mines the coin, it is still difficult to call its developers noble - the computer continues to be part of the botnet. How he will behave in the future is not known.

Another interesting fact: getting on the victim's computer, Adylkuzz closes the door from the inside and the WannaCry virus simply cannot penetrate it. That is, the spread of one virus contributed to the suppression of the spread of another.

Given the scale of the spread of WannaCry, I wonder how many computers Adylkuzz managed to settle on?

UPD, there is a complete translation of the Proofpoint article about how they discovered Adylkuzz.