As the massive ransomware attack dubbed WannaCry, or WanaCrypt0r 2.0 continued to spread this week, IT departments worldwide scrambled to update and patch their systems to defend against this menace.
The WannaCry campaign has claimed 200,000 victims across 150 countries worldwide so far and it has targeted private companies and public organizations and has actually endangered the lives of people.
Fortunately, the campaign was halted when a 22-year-old security researcher named Marcus Hutchins found a simple kill switch that neutralized the ransomware’s potency.
However, Hutchins and other security analysts warned that “this is not over.” The hackers responsible for this latest ransomware assault could simply change the code (or the domain, for that matter), redeploy it and start again. Copycats can also tweak and repurpose the malware to start their own campaigns.
And it looks like soon enough, that time is now.
New WannaCry Variants
As early as Sunday morning, new variants of the WannaCry ransomware have been sprouting up, including one that lacks the “kill switch” weakness.
The new variants appear to have been manually patched by still unknown groups and were not created by the authors of the original WannaCry campaign.
The first variant with a different kill switch domain reportedly started spreading on Sunday morning and was quickly followed by an updated version that removed the kill switch. (Note: The kill switch was discovered Saturday morning.)
Security firms and government agencies also issued warnings about further attacks using the same vulnerabilities used by WannaCry. (Note: The criminals behind WannaCry ransomware exploited the Eternal Blue vulnerability in earlier Windows operating systems. This flaw is an NSA tool leaked by Shadow Brokers earlier this year.)
The U.K. National Cyber Security Center wrote:
“Since the global coordinated ransomware attack on thousands of private and public sector organisations across dozens of countries on Friday, there have been no sustained new attacks of that kind. But it is important to understand that the way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks.
“This means that as a new working week begins it is likely, in the UK and elsewhere, that further cases of ransomware may come to light, possibly at a significant scale.”
To protect against other WannaCry ransomware variants, it is crucial that people keep their Windows systems up-to-date with the latest security patches, have anti-virus software installed, have regular backups and be extra vigilant with email attachments and unknown links.
More importantly, if you’re still using an old and unsupported version of Windows (Vista, XP and older), please stop using it immediately and think about upgrading to a supported version as soon as possible (Windows 7 and newer). With all the leaked NSA tools and exploits that can be weaponized at any time, you are at serious risk if you keep using unsupported software.
Ties to North Korea?
In related news, researchers say that they found digital clues that suggest that North Korean hackers may be responsible for the WannaCry campaign.
Google’s Neel Mehta found computer code within the original WannaCry program that was identical to a backdoor code used by North Korean hackers the Lazarus Group. Although not conclusive, researchers are saying that it “is the most significant clue to date regarding the origins of WannaCry.”