The public firestorm over the release and plague-like spread of WanaCryptOr late last week was still in full-throated roar when reports of variants of the ransomware being discovered began appearing.
The first updated version appeared two days after the initial attack and did not include any major revisions, but simply pointed to a new command-and-control website, which was quickly taken down. Cybersecurity researchers also found other versions of WanaCryptOr, or WannaCry, that did not require a C2 website and are still on the loose in the wild.
The latest figures have WanaCrypt0r infecting more than 200,000 computers in more than 100 countries, up from about 60,000 computers and 74 countries late Friday.
Ryan Kalember, Proofpoint’s senior vice president of cybersecurity strategy, said two new versions have been spotted, one of which is severely flawed.
“The first variant, WannaCry 2.0(a), pointed its ‘kill switch’ to a different Internet domain, which was also promptly registered and effectively sinkholed, stopping its spread. The second variant, WannaCry 2.0(b), had the ‘kill switch’ functionality removed, thus enabling it to propagate, but the ransomware payload fails to properly deploy, causing no direct impact to targeted systems,” he said.
An analysis of the new variants by McAfee Labs backed up Kalember’s, with the research firm finding samples in its database that did not check in with a domain before executing.
“We came across several other droppers (MD5: 509C41EC97BB81B0567B059AA2F50FE8) that did not exhibit this same behavior. These other droppers did not have the code to exploit machines through NetBIOS or to check for the kill-switch domain. With these samples, the ransomware code would be executed in all cases,” McAfee Labs wrote.
These samples were found in the wild, but were not spreading in an aggressive manner.
Matt Suiche, self-proclaimed hacker and founder of @comaeio, who found and stopped the Wanacrypt0r variant that utilized the new C2 site, has analyzed the flawed version.
“The fact that the no kill-switch variant is only partially working is most likely a temporary mistake from the attackers. Remember, even though the ransomware decompression is not working, the spreading through EternalBlue and DoublePulsar is still working,” he wrote, adding the real issue is too many organizations use legacy and out-of-date operating systems, making them easy targets for cybercriminals.
Interestingly, Lawrence Abrams, co-founder of Bleeping Computer, believes the inclusion of the C2 website, which is a definite flaw, might have been an act to help assuage the ransomware creator’s conscience.
“[It’s] definitely a flaw, but at the same time may have been some humanity in the ransomware developer. If there was no kill flaw it would have run rampant. Another theory is that it could have been an anti-sandbox measure, but as there was no other anti-vm code in the ransomware, I doubt it,” Abrams told SC Media.
“Personally, I think the dev went for a quick money grab and was hoping that a researchers would discover the domain and figure it out before it got out of control, and if not, the dev would register it themselves,” he added.
Others believe the next round of ransomware attacks is on its way and could prove every bit as malicious as the first wave.
Owen Connolly, VP of services (EMEA) at IOActive, told SC Media, “We do expect that the authors will launch a no kill switch variant that works at any time now, so our advice is still to patch ASAP as this will be particularly nasty.”
There is also some good news regarding the attack: At least when it comes to the original couple of WanaCrypt0r variants the worst is probably over.
“There could be some more infections, but most systems that can be infected probably already were. So unless a new attack vector is added, I wouldn’t expect as big of a wave of new infections,” Justin Cappos, assistant professor of security, operating systems and networks at NYU Tandon School of Engineering, told SC Media.