After researchers managed to stop the recent WannaCry ransomware outbreak by registering domains that function as kill-switches, a variant of the malware that no longer uses this function has emerged, security researchers warn.
WannaCry, also referred to as WanaCrypt0r, WannaCrypt, Wana Decrypt0r, and WCry, managed to wreak havoc worldwide over the past three days, hitting hospitals, ISPs, banks, government agencies, and carmakers, among others. The attacks started to propagate fast on Friday, with Europe hit the most, and Europol immediately designed a task force to assist in the investigation.
The threat managed to spread fast because of a worm component that abuses two recently disclosed NSA exploits targeting Windows. The first, EternalBlue, is abused to penetrate vulnerable machines, while the second, the DoublePulsar backdoor, is used to load the relevant payload DLL during exploitation.
Once it has infected a computer, the malware starts connecting to random IP addresses on port 445, which is used by Server Message Block (SMB), and uses this venue to propagate itself to other computers on the network. This also means that, the more computers are infected, the faster the malware can spread to new ones.
The EternalBlue vulnerability was patched by Microsoft with its March 2017 security updates (the MS17-010 patch), but only on supported platforms. Because of the severity of the ransomware outbreak, Microsoft issued an emergency patch for older versions of Windows versions that no longer receive mainstream support: Windows XP, Windows 8, and Windows Server 2003.
Because many companies (and end-users alike) fail to install operating system updates immediately after they are issued, chances are that the remedy won’t be immediately effective. What did help prevent the ransomware from running its malicious routines and from spreading further, however, was the registering of a domain used by the malware.
Security researcher @MalwareTech noticed that the malware was making calls to a “long nonsensical domain name” and decided to register it, only to discover later that he stopped the spreading. WannaCry would beacon to the domain before starting its malicious routine, but did not expect a response, given that the domain wasn’t registered. If a response did come and the domain was alive, however, the threat would terminate execution and no longer infect the machine.
The use of such a domain was supposedly meant to help the malware avoid sandbox analysis, Bitdefender e-threat analyst Bogdan Botezatu told SecurityWeek. When it detects requests to a domain that doesn’t exist, the sandbox creates the domain on the fly to capture the traffic the malware would generate. To prevent that, malicious programs terminate when receiving a response, as that is an indicator of a sandbox being used.
When the security researcher registered the domain (which was hardcoded in the malware), WannaCry started treating all newly compromised machines as sandboxes and terminated the infection routine (but that didn’t help those already infected). This hardcoded domain was called “kill-switch” and proved highly effective in stopping the threat, yet it didn’t take long before new variants that used different kill-switch domains started making the rounds.
To make the matter worse, variations without the kill-switch have also emerged, though some of them appear to feature a corrupted ransomware archive, meaning that user’s files don’t end up being encrypted. Others, however refute such claims, suggesting that this only applies to the ransomware payload, which lacks the spreading wrapper.
During a phone call with SecurityWeek, Bogdan Botezatu said the “no kill-switch” variation he observed is actually the original ransomware that has been patched with the help of a hex editor. Basically, code was added to ensure the kill-switch routine is skipped during infection, and the difference between the normal variant and the “no kill-switch” one is of only 2 bytes, he says.
While he couldn’t attribute the WannaCry attacks to a specific individual or group of cybercriminals, Botezatu did say that the same actor appears to be operating both variants (with and without kill-switch) of the ransomware.
“There are some samples that don’t come with the kill-switch domain. Both versions (kill-switch enabled and non-kill-switch) are operated by the same gang as the Bitcoin wallets harvesting the ransom are the same,” he said.
Although over 200,000 machines have been infected to date, the WannaCry authors have made an estimated $40,000 so far, an analysis of the known wallets reveals. That might not seem like much, but the fact that the outbreak happened over the weekend certainly had something to do with it. Now that the weekend is over, the number of payments made to the associated Bitcoin addresses could increase.
As it turns out, the worm component in this malware – the one responsible for the outbreak – is what made the threat stand out, but the ransomware component is nothing to write home about and doesn’t include the same level of sophistication as Locky, Cerber, or Jaff display. Initially spotted by Malwarebytes researcher S!Ri in early February, WannaCry previously used email spam and malware droppers for distribution.
The ransomware is believed to be the work of an inexperienced group, mainly because only three Bitcoin addresses are being used to collect payments, meaning that the actors will have a hard time knowing who paid the ransom and who didn’t. The ransomware, however, d
oesn’t include flaws and researchers can’t decrypt victims’ files for free just yet.
“The ransomware component is not something out of the ordinary. On the contrary, the presence of a kill-switch and the nearly-identical implementation of the EternalBlue wormable feature with an open-source project hints that the operators are opportunistic attackers than veteran malware operators,” Botezatu said.
“This family of ransomware is something that may be hot today, but the exploitation avenue will be used by all cyber-crime operators to plant all sorts of malware. Step zero here for all Windows users would be to install the hotfix dealing with MS17-010, followed by the installation of an anti-malware solution, if they don’t have any. Last, but not least, as we’re talking about ransomware, users should take regular backups of their data so they have something to restore from if they fall victim,” he concluded.