It’s Not Over, WannaCry 2.0 Ransomware Just Arrived With no “Kill-Switch”

If you are following the news, by now you might be aware that a security researcher has activated a “Kill Switch” to stop WannaCry ransomware from spreading further, but it’s not over, criminals have just launched WannaCry 2.0 with no kill-switch functionality. WannaCry infections are raising even hours after kill-switch was triggered, from 100,000 to 213,000 computers across 99 countries, and now this latest version can take over other hundreds of thousands of unpatched computers without any disruption. For those unaware, WannaCry is an insanely fast-speeding ransomware malware that leverages a Windows SMB exploit to target a computer running on unpatched or unsupported versions of Windows and servers and then spread itself like a worm to infect other vulnerable system in the internal network. The SMB vulnerability has been identified as EternalBlue, a collection of hacking tools allegedly created by the NAS and then subsequently dumped by a hacking group calling itself “The Shadow Brokers” over a month ago.

 

No, It’s not over yet, WannaCry 2.0 is on hunt!

In our previous two articles, we put together more information about this massive ransomware campaign, also explaining how to researcher, known as MalwareTech, accidentally halted the global spread of WannaCry by registering a domain name hidden in the malware, but it does not repair computers that are already infected.

That domain was responsible for keeping WannaCry propagating and spreading like a worm, but MalwareTech registers the domain in question, and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to self-controlled system.  If you are thinking that activating the kill switch has completely  stooped the infection, then you are mistaken, because as soon as the attackers realise, they came back.

Costin Raiu, the director of global research and analysis team at Kaspersky Labs has confirmed the arrival of WannaCry 2.0 variants without kill-switch function.

“I can confirm we’ve had versions without the kill switch domain connect since yesterday,”  Raju told Motherboard. So, expect a new wave of ransomware attack, with an updated WannaCry variant, which would be difficult to stop, until and unless all vulnerable systems get patched.

“The next attacks are inevitable, you can simply patch the existing  samples with a hex editor and it’ll continue to spread. We will see a number of variants of this attack over the coming weeks and months so it’s important to patch hosts.” Matthew Hickey, a security expert and co-founder of Hacker House says Hacking News & Tutorials. Instead of depending upon mass email spamming, just like an ordinary malware campaign, WannaCry cyber attack leverages SMB exploit to remotely hijack vulnerable computers just by scanning every IP address on the Internet. Even after WannaCry made headlines all over the Internet and media, there are still hundreds of thousands of unpatched systems easily available open to the Internet.

 

The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success.”

Hickey says.

The worm functionality attempt to infect unpatched Windows machines in the local network. At the same time, is also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host”

Microsoft says.

So, the new strain of WannaCry 2.0 malware would not take enough time to take over these systems as well as others connected to the same local network.

Hickey also warned: Since, the WannaCry is a single executable file, so it can also be spread through other regular exploit vectors, such as spear phishing, drive-by-download attack, and malicious torrent files download. Get Prepared: Install Security Patches & Disable SMBv1

MalwareTech also warned: “It’s very important for everyone to understand that all the attackers need to do is change some code and start again. Patch your system now”!

“Informed NCSC, FBI, etc.  I’ve done as much as I can do currently, it’s up to everyone to patch.”

As we notified today, Microsoft took an unusual step to protect its customers with an unsupported version of Windows– including Windows XP, Vista, Windows 8, Server 2003 and 2008 – by  releasing security patches that fix SMB flaw currently being exploited by the WannaCry ransomware.

Even after this, I believe, many individuals remain unaware of the new patches and many organisations running on older or unpatched versions of Windows, who are considering to upgrade their operating systems, would take time as well as it’s going to cost them money for getting new licenses.

So, users and organisations are strongly advised to install available Windows patches as soon as possible, and also consider disabling SMBv1, to prevent similar future cyberattacks.

 

Leave a Reply