Blog

14 May

It’s Not Over, WannaCry 2.0 Ransomware Just Arrived With No 'Kill-Switch'

Written by 

For those unaware, WannaCry is an insanely fast-spreading ransomware malware that leverages a Windows SMB exploit to target a computer running on unpatched or unsupported versions of Windows and servers and then spread itself like a worm to infect other vulnerable systems in the internal network.

The SMB vulnerability has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself "The Shadow Brokers" over a month ago.

"If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened" NSA whistleblower Edward Snowden says.

No, It's not over yet, WannaCry 2.0 is on hunt!

The kill-switch feature was in the SMB worm, not in the ransomware module itself. "WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant." MalwareTech told The Hacker News. 
"I can confirm we've had versions without the kill switch domain connect since yesterday," told The Hacker News via messages.
"The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it'll continue to spread. We will see a number of variants of this attack over the coming weeks and months so it's important to patch hosts." Matthew Hickey, a security expert and co-founder of Hacker House says The Hacker News.
"The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success." Hickey says. 
"The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host" Microsoft says

Demo of WannaCry Ransomware Infection

 

 

Get Prepared: Install Security Patches & Disable SMBv1

MalwareTech also warned: "It's very important [for] everyone [to] understand that all they [the attackers] need to do is change some code and start again. Patch your systems now!"
"Informed NCSC, FBI, etc. I've done as much as I can do currently, it's up to everyone to patch." 

Read 18246 times Last modified on Sunday, 14 May 2017 08:55
Rate this item
(2 votes)

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.