Over 237,000 computers across 99 countries around the world have been infected, and the infection is still rising even hours after the kill switch was triggered by the 22-years-old British security researcher behind the twitter handle ‘MalwareTech.’
WannaCry Ransomware malware targets a Windows SMB exploit, to remotely target computers running on unpatched or unsupported versions of Windows.
The Criminals behind WannaCry Ransomware have so far garnered 100 payments from victims, total 15 Bitcoins, equals to USD $30 000+.
Although, a Bristish security researcher with the twitter handle ‘MalwareTech’, has by simply purchasing the domain name of the ransomware (http://www(dot)iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea(dot)com), redirected the traffice to a self controlled system, a simple solution which stopped the WannaCry ransomware from spreading any further.
However, the this solution has only slowed down the infection from spreading rapidly.
Several security researches are now claiming there are even more examples of the WannaCry ransomeware out there, with different domains, with and without the option that the earlier security researcher implemented, which could be still infecting unpatched computers world wide.
On an infected unpatched system, WannaCry then also scans for other computers on the network, as well as random hosts on the wider Internet, infecting those too.
The WannaCry SMB exploit, has been identified as EternalBlue\DoublePulsar, a collection of hacking tools allegedly, created by the NSA and and released by hacking group “The Shadow Brokers” over a month ago.
Edward Snowden, the NSA whistleblower states “If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened,” .
Matthieu Suiche, a security researcher, has confirmed that he has found a new WannaCry variant with a different domain for kill-switch function, for which he too, registered the domain redirecting it to a sinkhole in an effort to slows down the infections.
Not Over Yet
‘MalwareTech told The Hacker New “WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant,”.
The domain name registering solutions, still would not prevent your unpatched PC from getting infected, in the following cases;
- If you receive WannaCry via an email, a malicious torrent, or other devices.
- Your ISP or antivirus or firewall blocks inadvertantly access to the sinkhole domain.
- If the targeted system requires a proxy to access the Internet, common practice in the majority of corporate networks.
- If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.
MalwareTech further confirmed that “Mirai botnet skids tried to DDoS the [sinkhole] server for lulz,”, but “it failed hardcore,” at least for now.
WannaCry 2.0 is Someone Else’s Work
The latest news is that, Raiu from Kaspersky shared some of the new WannaCry 2.0 variant, the team discovered, with Suiche, who analysed them and just confirmed that there is a WannaCrypt variant without kill switch, and equipped with SMB exploit that would help it to spread rapidly without disruption.
This worryingly seem to have been created by someone else, and not the hackers behind the WannaCry ransomware.
Suiche however on further investigation, stated that the modified variant with no kill switch is corrupted, but this doesn’t mean that other hackers and criminals would not come up with a working one.
Patch your computers, harden your defences, run a decent anti-virus, and – for goodness sake – ensure that you have secure backups.
WannaCry 2.0, Ransomware With NO Kill-Switch!
Costin Raiu, the director of global research and analysis at Kaspersky Labs, that his team had seen more WannaCry samples on Friday that did not have the kill switch.
“I can confirm we’ve had versions without the kill switch domain connect since yesterday”, he told The Hacker News.
Be Prepared: Upgrade, Patch OS & Disable SMBv1
Microsoft has taken the unusual step to protect its customers with an unsupported version of Windows — including Windows XP, Vista, Windows 8, Server 2003 and 2008 — by releasing security patches that fix SMB flaw, exploited by the WannaCry ransomware.
So, users and organizations are strongly advised to install available Windows patches as soon as possible, and also consider disabling SMBv1 (follow these steps), to prevent similar future cyber attacks.
Almost all antivirus vendors have already been added signatures to protect against this latest threat. Make sure you are using a good antivirus, and keep it always up-to-date.
It’s Not Over
MalwareTech also warned of the future threat, saying “It’s very important everyone understand that all they need to do is change some code and start again. Patch your systems now!”.
“Informed NCSC, FBI, etc. I’ve done as much as I can do currently, it’s up to everyone to patch,” he added.