One new wave stopped today but the worse is yet to come

Read More: Part 1 — Part 2 — Part 3 — Part 4 @msuiche (Twitter)

UPDATE: Latest development (15May): Attribution and links to Lazarus Group

UPDATE2: — Decrypting files

As a follow-up article on WannaCry, I will give a short brief about the new variants found in the wild, not for experimentation but on infected machines today.

In short, one is a false positive some researchers uploaded to virustotal.com and the other is legit but we stopped it when I registered the new kill-switch domain name.

image

Update: At the time the below twitt was posted, the above stopped ~10K machines from 76 different countries to spread the infection from the new variant.

On Friday 12 May 2017, MalwareTechBlog registered the first kill switch (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) that enable to slow down the infection rate of WannaCry ransomware. This is 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.

image

Protecting the Internet one domain at a time — Second killswitch registered on Sunday 14 by myself.

Today (14 May 2017), 2 new variants appeared**. One working which I blocked by registering the new domain name,** and the second which is only partially working because it only spreads and does ***not*** encrypt files due to a corrupted archive.

  • Legit. A new variant had been caught by @benkow in the wild and sent to me for analysis. I reversed it and found a new kill-switch (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com) which I immediately registered to stop the new wave of global attacks. Then, I synchronized with @MalwareTechBlog and @2sec4u to map the new domain to sinkhole name servers to feed the live interactive infection map. This is 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf._
  • False positive. A new variant with no kill-switch recovered by Kaspersky as a virustotal.com upload — not detected in the Wild. Although, this build does only work partially as the ransomware archive is corrupted — the spreading still works though. This is 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd._

New variants

All the variants in the wild are the following:

Name          : 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd  
LastWriteTime : 5/14/2017 5:56:00 PM  
MD5           : D724D8CC6420F06E8A48752F0DA11C66  
SHA2          : 07C44729E2C570B37DB695323249474831F5861D45318BF49CCF5D2F5C8EA1CD  
Length        : 3723264
Name          : 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c  
LastWriteTime : 5/13/2017 7:26:44 AM  
MD5           : DB349B97C37D22F5EA1D1841E3C89EB4  
SHA2          : 24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C  
Length        : 3723264
Name          : 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf  
LastWriteTime : 5/14/2017 4:11:45 PM  
MD5           : D5DCD28612F4D6FFCA0CFEAEFD606BCF  
SHA2          : 32F24601153BE0885F11D62E0A8A2F0280A2034FC981D8184180C5D3B1B9E8CF  
Length        : 3723264

New variant with kill switch

image

32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf

As seen below, this is the new kill switch address (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com)_ found in the 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf_ sample, shared by @benkow_ with me via his honeypot VM. It took me less than a minute once I had the new sample to reverse it and extract the new address to register it.

The variants 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c_ &_ 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf_both drop the **same** files and archives.

Kaspersky told me they also detected the above variant, MD5:d5dcd28612f4d6ffca0cfeaefd606bcf was first seen by one of their users in Russia 01:53:26 GMT (2017–05–14 01:53:26.0)

Name          : stage2-1-24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c  
LastWriteTime : 5/12/2017 10:06:10 PM  
MD5           : 84C82835A5D21BBCF75A61706D8AB549  
SHA2          : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA  
Length        : 3514368``Name          : stage2-2-32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf  
LastWriteTime : 5/14/2017 4:42:09 PM  
MD5           : 84C82835A5D21BBCF75A61706D8AB549  
SHA2          : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA  
Length        : 3514368

New variant with no kill-switch (shared by Kasperky)

image

Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab, shared the 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd`sample with me for a second opinion.

As said in the introduction, Although, this build does only work partially as the ransomware archive is corrupted but the spreading part using ETERNALBLUE and DOUBLEPULSAR still works. Archive only is partially uncompressed. Although the password in the code is the same.

image

The above variant, MD5:d724d8cc6420f06e8a48752f0da11c66, has not been seen by any of Kaspersky’s users. (nobody got hit with it yet). It was first scanned on VT at: 2017–05–14 13:05:36.

This sample had been discovered after the initial variant I received today. See below my analysis.

image

07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd

I concluded this sample with no killswitch had been patched and not compiled for two reasons:

  • The padding space is still exactly 0x48 bytes between the expected string pointer and the _RTL_CRITICAL_SECTION CriticalSection structure.
  • The basic block flow had been altered as we can see in the above screenshot. It still contains the regular code which was supposed to be executed in case of domain name accessibility.

This variant drops different files. I’m still analyzing what is different between the two versions.

Name          : stage2-1-24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c  
LastWriteTime : 5/12/2017 10:06:10 PM  
MD5           : 84C82835A5D21BBCF75A61706D8AB549  
SHA2          : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA  
Length        : 3514368``Name          : stage2-2-32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf  
LastWriteTime : 5/14/2017 4:42:09 PM  
MD5           : 84C82835A5D21BBCF75A61706D8AB549  
SHA2          : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA  
Length        : 3514368``Name          : stage2-3-07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd-nokillswitch  
LastWriteTime : 5/14/2017 7:06:02 PM  
MD5           : 7F7CCAA16FB15EB1C7399D422F8363E8  
SHA2          : 2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD  
Length        : 3514368

Conclusion

As reported I reported to the New York Times on Friday, new variants were to be expected.

The fact the no kill-switch variant is only partially working is most likely a temporary mistake from the attackers. Remember, even though the ransomware decompression is not working — the spreading through ETERNALBLUE & DOUBLEPULSAR is still working.

The fact I registered the new kill-switch today to block the new waves of attacks (sinkhole.tech reported to me they are receiving hits) is only a temporarily relief which does not resolve the real issue which is that many companies and critical infrastructures are still dependent on legacy and out of support Operating Systems.