One new wave stopped today but the worse is yet to come
UPDATE: Latest development (15May): Attribution and links to Lazarus Group
UPDATE2: — Decrypting files
As a follow-up article on WannaCry, I will give a short brief about the new variants found in the wild, not for experimentation but on infected machines today.
In short, one is a false positive some researchers uploaded to virustotal.com and the other is legit but we stopped it when I registered the new kill-switch domain name.
Update: At the time the below twitt was posted, the above stopped ~10K machines from 76 different countries to spread the infection from the new variant.
On Friday 12 May 2017, MalwareTechBlog registered the first kill switch (
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) that enable to slow down the infection rate of WannaCry ransomware. This is
Protecting the Internet one domain at a time — Second killswitch registered on Sunday 14 by myself.
Today (14 May 2017), 2 new variants appeared**. One working which I blocked by registering the new domain name,** and the second which is only partially working because it only spreads and does ***not*** encrypt files due to a corrupted archive.
- Legit. A new variant had been caught by @benkow in the wild and sent to me for analysis. I reversed it and found a new kill-switch (
ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com) which I immediately registered to stop the new wave of global attacks. Then, I synchronized with @MalwareTechBlog and @2sec4u to map the new domain to sinkhole name servers to feed the live interactive infection map. This is
- False positive. A new variant with no kill-switch recovered by Kaspersky as a virustotal.com upload — not detected in the Wild. Although, this build does only work partially as the ransomware archive is corrupted — the spreading still works though. This is
All the variants in the wild are the following:
Name : 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd LastWriteTime : 5/14/2017 5:56:00 PM MD5 : D724D8CC6420F06E8A48752F0DA11C66 SHA2 : 07C44729E2C570B37DB695323249474831F5861D45318BF49CCF5D2F5C8EA1CD Length : 3723264 Name : 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c LastWriteTime : 5/13/2017 7:26:44 AM MD5 : DB349B97C37D22F5EA1D1841E3C89EB4 SHA2 : 24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C Length : 3723264 Name : 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf LastWriteTime : 5/14/2017 4:11:45 PM MD5 : D5DCD28612F4D6FFCA0CFEAEFD606BCF SHA2 : 32F24601153BE0885F11D62E0A8A2F0280A2034FC981D8184180C5D3B1B9E8CF Length : 3723264
New variant with kill switch
As seen below, this is the new kill switch address (
ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com)_ found in the
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf_ sample, shared by @benkow_ with me via his honeypot VM. It took me less than a minute once I had the new sample to reverse it and extract the new address to register it.
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf_both drop the **same** files and archives.
Kaspersky told me they also detected the above variant,
MD5:d5dcd28612f4d6ffca0cfeaefd606bcf was first seen by one of their users in Russia 01:53:26 GMT (2017–05–14 01:53:26.0)
Name : stage2-1-24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c LastWriteTime : 5/12/2017 10:06:10 PM MD5 : 84C82835A5D21BBCF75A61706D8AB549 SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA Length : 3514368``Name : stage2-2-32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf LastWriteTime : 5/14/2017 4:42:09 PM MD5 : 84C82835A5D21BBCF75A61706D8AB549 SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA Length : 3514368
New variant with no kill-switch (shared by Kasperky)
Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab, shared the 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd`sample with me for a second opinion.
As said in the introduction, Although, this build does only work partially as the ransomware archive is corrupted but the spreading part using ETERNALBLUE and DOUBLEPULSAR still works. Archive only is partially uncompressed. Although the password in the code is the same.
The above variant,
MD5:d724d8cc6420f06e8a48752f0da11c66, has not been seen by any of Kaspersky’s users. (nobody got hit with it yet). It was first scanned on VT at: 2017–05–14 13:05:36.
This sample had been discovered after the initial variant I received today. See below my analysis.
I concluded this sample with no killswitch had been patched and not compiled for two reasons:
- The padding space is still exactly
0x48bytes between the expected string pointer and the
- The basic block flow had been altered as we can see in the above screenshot. It still contains the regular code which was supposed to be executed in case of domain name accessibility.
This variant drops different files. I’m still analyzing what is different between the two versions.
Name : stage2-1-24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c LastWriteTime : 5/12/2017 10:06:10 PM MD5 : 84C82835A5D21BBCF75A61706D8AB549 SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA Length : 3514368``Name : stage2-2-32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf LastWriteTime : 5/14/2017 4:42:09 PM MD5 : 84C82835A5D21BBCF75A61706D8AB549 SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA Length : 3514368``Name : stage2-3-07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd-nokillswitch LastWriteTime : 5/14/2017 7:06:02 PM MD5 : 7F7CCAA16FB15EB1C7399D422F8363E8 SHA2 : 2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD Length : 3514368
As reported I reported to the New York Times on Friday, new variants were to be expected.
The fact the no kill-switch variant is only partially working is most likely a temporary mistake from the attackers. Remember, even though the ransomware decompression is not working — the spreading through ETERNALBLUE & DOUBLEPULSAR is still working.
The fact I registered the new kill-switch today to block the new waves of attacks (sinkhole.tech reported to me they are receiving hits) is only a temporarily relief which does not resolve the real issue which is that many companies and critical infrastructures are still dependent on legacy and out of support Operating Systems.