Monero Cryptojacker Using NSA exploit EternalBlue

Following the use of the NSA developed EternalBlue exploit in the now infamous ransomware WannaCry, a new malware known as WannaMine has surfaced.

WannaMine follows in the footsteps of WannaCry, using the NSA developed EternalBlue exploit to propagate. After infection, the similarities between WannaCry and WannaMine end. Where WannaCry would proceed to encrypt all available files and notify the user of its existence, WannaMine silently installs and runs mining software for the cryptocurrency Monero.

Use of Monero

This is the next in a line of cryptojacking attacks involving mining software that specifically mines Monero. The reasoning behind the perpetrator’s use of Monero is unknown, though it may have something to do with Monero’s minability on mid to low-end computers, and the privacy that exists on Monero’s blockchain.


After infection and initial setup, WannaMine uses Windows management tools for its persistence. Once infected, it can be difficult to find the malicious settings within the large number of legitimate ones.

One of the simplest methods of detection is to monitor your computers CPU usage.  Abnormally high CPU usage can be caused by cryptojacking. You can view your CPU usage using Windows Task Manager. Otherwise, high CPU usage will make your computer hotter, which may make its fans run louder.


WannaMine uses EternalBlue for its propagation, and as Microsoft patched the vulnerability in 2017, so long as all computers on your network are up-to-date you should be secure from WannaMine. Otherwise, standard security advice such as not following unknown links applies.

Be the first to comment

Leave a Reply

Your email address will not be published.