WannaCry 2.0

If you are a computer geek and well aware of ongoing security threats then you must have already read What is WannaCry? How to stop it. If you have not heard the term WannaCry, then my frank suggestion for you will be take some time and read this article covered by me and comeback here  to read about WannaCry 2.0. This is a serious issue. You must be aware of the current threats which can make serious damage to your PC.

So what was the current standings on WannaCry Ransomware before writing this article:

WannaCry is a blazingly fast spreading Ransomware which is a viral topic among all the security researchers and tech geeks at the moment. This ransomware is developed on the Windows SMB exploit by a hacker organization named the Shadow Broker, which mainly targets the older and unpatched versions of Windows & Servers. Till now 99+ countries have been affected by this WannaCry ransomware. Windows XP, 7 and 8 are the main victims of WannaCry.

Happiness spread when a young security researcher named @malwaretchblog find a unregistered domain in the ransomware source code and accidentally triggered the ‘kill-switch’ of the WannaCry ransomware.

But the happiness is not going to last long.

Reportedly, WannaCry is  spreading hours after the trigger of kill-switch. Eventually, the numbers of infected PCs have been increased to 213,000 from 100,000 over 99 countries. Reportedly the new WannaCry 2.0 is infecting thousands of other unpatched Windows.

Commenting on the SMB exploit, NSA whistleblower Edward Snowden said, “If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened“.

Not going leave you easily, WannaCry 2.0 is coming

In our previous and this article, we tried to explain the WannaCry and its kill-switch. We also explained how MalwareTechBlog found the domain and stopped spreading the ransomware globally temporarily, but sadly this stops spreading the worm, this does not repair the already infected systems.

In the latest report on WannaCry 2.0, The Hacker News said,

That domain was responsible for keeping WannaCry propagating and spreading like a worm, but MalwareTech registered the domain in question, and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system.

If you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken, because as soon as the attackers realize, they came back.

The kill-switch feature was in the SMB worm, not in the ransomware module itself. “WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant.” MalwareTech told The Hacker News.

Even Kaspersky Labs has confirmed that they have found instances of the WannaCry on Friday which do not have the kill-switch.

“I can confirm we’ve had versions without the kill switch domain connect since yesterday,”

MalwareTech also confirmed TNH that some “Mirai botnet skids tried to DDoS the [sinkhole] server for lulz,” to make it unavailable for WannaCry, when attempts to connect it, which triggers infection if the connection fails. But far now, DDoS attack “failed hardcore.

So the conclusion is we are going to see a new wave of attack with WannaCry 2.0 which no doubt will be difficult to KILL. The only way is to patch the unpatched older systems.

Matthew Hickey, a security expert said, “The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it’ll continue to spread. We will see a number of variants of this attack over the coming weeks and months so it’s important to patch hosts.

The most serious issue is lack of consciousness among people. Even after WannaCry became a viral topic of the Internet and as well as media, there are hundreds of systems left to be patched.

Hickey also said, “The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success,”

Commenting on the ransomware and SMB exploit, Microsoft said in a statement, “The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host”.

Look at the demo of WannaCry 2.0 by Matthew published on TNH

Matthew also warned, Since, the WannaCry is a single executable file, so it can also be spread through other regular exploit vectors, such as spear phishing, drive-by-download attack, and malicious torrent files download. So DO NOT DOWNLOAD UNAUTHENTICATED FILES.

What You Can Do At The Moment:

MalwareTech also warned: “It’s very important [for] everyone [to] understand that all they [the attackers] need to do is change some code and start again. Patch your systems now!”

“Informed NCSC, FBI, etc. I’ve done as much as I can do currently, it’s up to everyone to patch.”

Even Microsoft is acting very generous to us. They even took an unusual step to fight against WannaCry. They rolled  out update security patch for those system which have no support from Windows -Windows XP, Vista, Windows 8, Server 2003 and 2008.

So you are strictly advised to follow the steps.

  1. Update to the latest Windows Security Patch.
  2. Disable SMBv1 (Search Windows Feature-> Uncheck SMB-> Click OK-> Restart)

As we are telling continuously, this is a serious security threat. Do not underestimate this issue.

Thank you for time. We hope you can stay protected.