The WannaCry global ransomware epidemic does not appear to be weakening anytime soon, as security researchers spotted two new variants of the malware just yesterday.
The ransomware was stopped over the weekend thanks to British cybersecurity researcher, MalwareTech, when he uncovered a way to create a kill switch within WannaCry.
According to MalwareTech, the ransomware was infecting users because of its connection to an unregistered domain and the kill switch was hardcoded into the malware in case the author wanted to stop it from spreading. This involved a very long, illogical domain name that the malware makes a request to as if it was looking up any website. If the request comes back showing the domain is live then the kill switch kicks in and the malware quits spreading.
MalwareTech implemented the kill switch by registering the domain name and stopping the spread of the malware, costing him only $10.69 to do so. But we’re not out of the woods yet; cybercriminals have already developed two newer versions of the malware without a kill switch built in. While these are said to not have the same impact as the original, it’s important to note that these criminals do not appear to be slowing down.
According to Ryan Kalember, SVP of Cybersecurity at Proofpoint, “These appear to be patched versions of the original malware, rather than recompiled versions developed by the original authors. The first variant, WannaCry 2.0(a), pointed its “kill switch” to a different internet domain—which was also promptly registered and effectively sink-holed, stopping its spread. The second variant, WannaCry 2.0(b), had the kill switch functionality removed, thus enabling it to propagate—but the ransomware payload fails to properly deploy, causing no direct impact to targeted systems.”
Europol has confirmed that this threat is still ongoing and the number of infections will continue to grow, as more than 200,000 victims in 150 countries have been infected already.
At times like this, it’s worth noting the importance of covering the basics of security and adopting existing, known best practice. NNT recommends the CIS critical controls as a basis for sound cybersecurity. NNT also has several Ransomware Mitigation Kits, comprising the necessary automated vulnerability checks and also the Group Policy/Puppet templates to automatically fix any weaknesses identified. To learn more or to request your own personalized ransomware mitigation kit, click here