#WannaCry Roars Back After Killing the Kill Switch

Written by

The WannaCry global ransomware pandemic has a new wrinkle: After being stopped in its tracks over the weekend thanks to a built-in kill switch, new variants are popping up that don’t contain that failsafe—meaning the scourge shows no sign of slowing.

A 22-year-old British cyber-researcher that goes by “MalwareTech” appeared to have saved the day over the weekend when he uncovered a way to implement a kill switch within WannaCry, which allowed for its immediate containment.

The ransomware was spreading due to being connected to an unregistered domain, and the kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to just as if it was looking up any website—and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.

With collaboration with Proofpoint, MalwareTech implemented the kill switch by registering the domain name and stopping the spread. The purchase cost him $10.69.

However, it took about a day for bad actors to hit back, with ransomware versions that don’t have such a measure built in. The Uiwix ransomware for instance began to spread over the weekend by exploiting the same vulnerability in Windows SMBv1 and SMBv2 that WannaCry uses. It also has self-replicating capabilities, as WannaCry did, and it works in the same way as other ransomware variants.

Two other variants, direct progeny of WannaCry, also strip out the kill switch. However, these have failed to make the same impact as its ancestor.

“As of yesterday, two additional variants of WannaCry ransomware had appeared,” said Ryan Kalember, SVP of Cybersecurity Strategy at Proofpoint, via email. “These appear to be patched versions of the original malware, rather than recompiled versions developed by the original authors. The first variant, WannaCry 2.0(a), pointed its “kill switch” to a different internet domain—which was also promptly registered and effectively sinkholed, stopping its spread. The second variant, WannaCry 2.0(b), had the kill switch functionality removed, thus enabling it to propagate—but the ransomware payload fails to properly deploy, causing no direct impact to targeted systems.”

That said, there is no indication that the offensive is slowing, and new variants are sure to show up within the next hours, days and weeks. Thus, it remains critical that all organizations immediately ensure they have the most updated patches deployed and backups ready to restore in the event of a ransomware attack. Europol has confirmed that the threat is still escalating and the number of infections is growing. It has now affected “more than 200,000 victims in 150 countries.”

“We reckon that this is the first of many variants to follow, which will aim to exploit this vulnerability and infect as many devices as possible until the necessary patch is applied,” said Andra Zaharia, security specialist with Heimdal Security. “With no dial back option to block, the only way of protecting against it at the moment is to patch the affected operating systems.” 

What’s hot on Infosecurity Magazine?