If you are following the news, by now you might be aware that a security researcher has activated a “Kill Switch” which apparently stopped the WannaCry ransomware from spreading further.
But it’s not true, neither the threat is over yet.
However, the kill switch has just slowed down the infection rate.
Moreover, multiple security researchers have claimed that more samples of WannaCry are in the wild without ‘kill-switch’ domain connect function, referred as WannaCry 2.0, and still infecting unpatched computers worldwide.
So far, over 213,000 computers across 99 countries around the world have been infected, and the infection is still rising even hours after the kill switch was triggered by the 22-years-old British security researcher behind the twitter handle ‘MalwareTech.’
For those unaware, WannaCry is an insanely fast-spreading ransomware malware that leverages a Windows SMB exploit to remotely target a computer running on unpatched or unsupported versions of Windows.
Once infected, WannaCry also scans for other vulnerable computers connected to the same network, as well scans random hosts on the wider Internet, to spread quickly.
The SMB exploit, currently being used by WannaCry, has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself “The Shadow Brokers” over a month ago.
“If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened,” NSA whistleblower Edward Snowden says.
Kill-Switch for WannaCry? No, It’s not over yet!
In our previous two articles, we have put together more information about this massive ransomware campaign, explaining how MalwareTech accidentally halted the global spread of WannaCry by registering a domain name hidden in the malware.
The above-mentioned domain is responsible for keeping WannaCry propagating and spreading like a worm, as I previously explained that if the connection to this domain fails, the SMB worm proceeds to infect the system.
Fortunately, MalwareTech registered this domain in question and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system. (read his latest blog post for more details)
But, if you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken.
Since the kill-switch feature was in the SMB worm, not in the ransomware module itself., “WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant,” MalwareTech told The Hacker News.
You should know that the kill-switch would not prevent your unpatched PC from getting infected, in the following scenarios:
- If you receive WannaCry via an email, a malicious torrent, or other vectors (instead of SMB protocol).
- If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.
- If the targeted system requires a proxy to access the Internet, which is a common practice in the majority of corporate networks.
- If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.
MalwareTech also confirmed THN that some “Mirai botnet skids tried to DDoS the [sinkhole] server for lulz,” in order to make it unavailable for WannaCry SMB exploit, which triggers infection if the connection fails. But “it failed hardcore,” at least for now.
WannaCry 2.0, Ransomware without Kill-Switch is on Hunt!
Initially, this part of story was based on research of a security researcher, who earlier claimed to have the samples of new WannaCry ransomware that comes with no kill-switch function. But for some reason, he backed off. So, we have removed his references from this story for now.
However, shortly after that, we were confirmed by Costin Raiu, the director of global research and analysis team at Kaspersky Labs, that his team had seen more WannaCry samples on Friday that did not have the kill switch.
“I can confirm we’ve had versions without the kill switch domain connect since yesterday,” told The Hacker News.
So, expect a new wave of ransomware attacks, with an updated WannaCry variant, which would be difficult to stop, until and unless all vulnerable systems get patched.
“The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it’ll continue to spread,” Matthew Hickey, a security expert and co-founder of Hacker House told me.
“We will see a number of variants of this attack over the coming weeks and months so it’s important to patch hosts. The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success.”
Even after WannaCry attacks made headlines all over the Internet and Media, there are still hundreds of thousands of unpatched systems out there that are open to the Internet and vulnerable to hacking.
“The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host,” Microsoft says.
Believe me, the new strain of WannaCry 2.0 malware would not take enough time to take over another hundred of thousand vulnerable systems.
Video Demo of WannaCry Ransomware Infection
Hickey has also provided us two video demonstrations, showing packet traces that confirm the use of Windows SMB vulnerability (MS17-010).
And Second one…
Since WannaCry is a single executable file, it can also be spread through other regular exploit vectors, such as spear phishing, drive-by-download attack, and malicious torrent files download, warned Hickey.
Get Prepared: Upgrade, Patch OS & Disable SMBv1
MalwareTech also warned of the future threat, saying “It’s very important [for] everyone [to] understand that all they [the attackers] need to do is change some code and start again. Patch your systems now!”
“Informed NCSC, FBI, etc. I’ve done as much as I can do currently, it’s up to everyone to patch,” he added.
As we notified today, Microsoft took an unusual step to protect its customers with an unsupported version of Windows — including Windows XP, Vista, Windows 8, Server 2003 and 2008 — by releasing security patches that fix SMB flaw currently being exploited by the WannaCry ransomware.
Even after this, I believe, many individuals remain unaware of the new patches and many organizations, as well as embedded machines like ATM and digital billboard displays, running on older or unpatched versions of Windows, who are considering to upgrade their operating system, would take time as well as it’s going to cost them money for getting new licenses.
— The Hacker News (@TheHackersNews) May 13, 2017
So, users and organizations are strongly advised to install available Windows patches as soon as possible, and also consider disabling SMBv1 (follow these steps), to prevent similar future cyber attacks.
For god sake: Apply Patches. Microsoft has been very generous to you.
Almost all antivirus vendors have already been added signatures to protect against this latest threat. Make sure you are using a good antivirus, and keep it always up-to-date.
Moreover, you can also follow some basic security practices I have listed to protect yourself from such malware threats.
This story is still updating, stay tuned to our Twitter page for more up-to-date information.