WannaCry 2.0 - It's not over yet..!

If you are following our news articles, by now you might be aware that a security researcher has activated a "Kill Switch" which apparently stopped the WannaCry ransomware from spreading further. But it's not true, neither the threat is over yet. However, the kill switch has just slowed down the infection rate.

So far, over 237,000 computers across 99 countries around the world have been infected, and the infection is still rising every hour. Even after the kill switch got triggered by the 22-years-old British security researcher who handles  'MalwareTech.', the spread of this malware is not stopable.

Introduction:

For those unaware, WannaCry is an insanely fast-spreading ransomware malware that leverages a Windows SMB exploit to remotely target a computer running on unpatched or unsupported versions of Windows.

 

Once infected, WannaCry also scans for other vulnerable computers connected to the same network, as well scans random hosts on the wider Internet, to spread quickly.

The SMB exploit, currently being used by WannaCry, has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself "The Shadow Brokers" over a month ago.

Kill-Switch for WannaCry... But it's not over yet..! 

In my previous two articles (link for first, link for second), I had put together most of the information about this massive ransomware campaign, explaining how MalwareTech accidentally halted the global spread of WannaCry by registering a domain name hidden in the malware.

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The above-mentioned domain is responsible for keeping WannaCry propagating and spreading like a worm, as I previously explained that if the connection to this domain fails, the SMB worm proceeds to infect the system.

Fortunately, MalwareTech registered this domain in question and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system. (read his latest blog post for more details.)

So after all this, you would just be thinking that What's new in it..! So let me tell you what really happened next.

Matthieu Suiche, a security researcher, has confirmed that he has found a new WannaCry variant with a different domain for kill-switch function, which he registered to redirect it to a sinkhole in an effort to slows down the infections.

The newly discovered WannaCry variant works exactly like the previous variant that spread fright across the world Friday night. But, if you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken. So why does the malware still spread after triggering the kill switch..!

Why triggering the Kill-Switch does not stop this malware?

To get answer to this question, you should first know about what the Kill Switch really did?  The kill-switch feature was in the SMB worm and not the ransomware module. Hence, triggering the kill switch, stopped the spreading of malware using the Windows SMB vulnerability. But the malware could still spread through emails and other modes.

Hence, triggering the switch just slowed down the malware but did not stop it successfully.

Since the kill-switch feature was in the SMB worm, not in the ransomware module itself., "WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant," said MalwareTech

You should know that the kill-switch would not prevent your unpatched PC from getting infected, in the following scenarios:

• If you receive WannaCry via an email, a malicious torrent, or other vectors (instead of SMB protocol).
• If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.
• If the targeted system requires a proxy to access the Internet, which is a common practice in the majority of corporate networks.
• If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.

MalwareTech also confirmed that "Mirai botnet skids tried to DDoS the [sinkhole] server for lulz," in order to make it unavailable for WannaCry SMB exploit, which triggers infection if the connection fails. But "it failed hardcore," at least for now.

In short, we just need to know that if the sinkhole server becomes inaccessible, then none can stop the power of WannaCry. Though one can be safe using the prevention measures mentioned in this article.

WannaCry 2.0 - The Ransomware with no kill-switch

Costin Raiu, the director of global research and analysis team at Kaspersky Labs, confirmed that his team had seen more WannaCry samples on Friday that did not have the kill switch.

Raiu from Kaspersky shared some samples, his team discovered, with Suiche, who analysed them and just confirmed that there is a WannaCrypt variant without kill switch, and equipped with SMB exploit that would help it to spread rapidly without disruption.

What's even worse is that the new WannaCry variant without a kill-switch believed to be created by someone else, and not the hackers behind the initial WannaCry ransomware. Hence, this work is now proved interesting to other hackers as well. And the threat would be rising as number of hackers start working to modify the code of this ransomware.

According to the news, this patched version was modified by someone else to disable the kill-switch. This task was done using a hex-editor. However, Suiche also confirmed that the modified variant with no kill switch is corrupted, but this doesn't mean that other hackers and criminals would not come up with a working one.

Even after WannaCry attacks made headlines all over the Internet and Media, there are still hundreds of thousands of unpatched systems out there that are open to the Internet and vulnerable to hacking.

"The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host," Microsoft says.

WannaCry's Success Rate..!

Speaking to Britain's ITV, Europol chief Rob Wainwright said the whole world is facing an "escalating threat," warning people that the numbers are going up and that they should ensure the security of their systems is up to date.

"We are running around 200 global operations against cyber crime each year, but we've never seen anything like this," Wainwright said, as quoted by BBC. 

"The latest count is over 200,000 victims in at least 150 countries. Many of those victims will be businesses, including large corporations. The global reach is unprecedented.

Still this malware is spreading all over the internet and taking down computers. Stay safe and protect yourself else you know the consequences. Just take time to read the steps to prevent yourself from WannaCry Ransomware. Stay connected for more updates..

To join the discussion, you can connect with us by joining:
Facebook Group - https://www.facebook.com/groups/libraryofhacks/
Google+ Community - https://plus.google.com/u/0/communities/108097537597083648039