On Sunday, someone tried to create a version of the WannaCry ransomware that didn't feature the kill switch domain. Fortunately, the ransomware was never released in the wild, as this appeared to be only a test.

The original WannaCry ransomware — version 2.0, to be more accurate, and also known as WCry, WannaCrypt, Wana Decrypt0r, and WanaCrypt0r — appeared on Friday and it made over 220,000 victims over the weekend.

The ransomware was stopped after a security researcher discovered how to prevent WannaCry from starting.

The researcher, named MalwareTech, found that WannaCry was pinging a web page before it launched any of its malicious code into execution. After he had registered that domain, the researcher understood that he accidentally stopped the ransomware from spreading because WannaCry checked if the domain was unregistered.

By registering the domain, the researcher activated a kill switch that aborted the ransomware's execution routine, effectively defanging WannaCry.

New WannaCry versions detected on Sunday

Sunday, security researchers Matt Suiche and Benkow discovered a second WannaCry version that used a different kill switch domain, which they also registered and sinkholed like the first, preventing this newer strain of the WannaCry ransomware from making any new victims.

Later in the day, security researchers from Kaspersky Lab discovered on Virus Total a new WannaCry version, which unlike the first two, didn't feature the kill switch domain.

Despite this worrying discovery, this version has not been seen infecting live computers as of yet.

"No kill switch" version is corrupted

Security researcher Matt Suiche — who analyzed the samplenoted that the archive through which the ransomware arrives on infected computers is corrupted, meaning it's not suitable for infecting users because it triggers various decompression errors.

A theory is that this version was only a test from a security researcher, who intentionally corrupted the ransomware's archive to prevent someone from weaponizing it.

According to RenditionSec founder Jake Williams, this version was creating by using a hex editor to null out the bytes controlling to the kill switch.

Code with kill switch domain removed
Code with kill switch domain removed [Source: RenditionSec]

A security researcher that goes online by the name 2sec4u highlighted the fact that this version isn't connected to the original WannaCry actors, seeming to be a one-off experiment. Whoever it was, we are glad that person didn't release this variant in the wild.

If weaponized and released, this version would skip the initial pre-infection beacon, and we would return to the same stage we were on Friday afternoon when WannaCry was making victims left and right, with nothing standing in its way.

Patch to protect computers from WannaCry ransomware

Users that want to protect their computers from WannaCry attacks need to install security updates released by Microsoft.

The security update that blocks the SMBv1 exploit used by WannaCry is MS17-010. For unsupported operating systems, such as Windows XP, Windows 8, or Windows Server 2003, Microsoft has released separate updates.

The WannaCry ransomware comes with two modules, the ransomware itself and the SMB worm that spreads it to vulnerable computers. According to a test performed by security researcher Benkow, SMB scanning is so aggressive at the moment that it takes between 3 and 15 minutes for an unprotected computer to get infected with WannaCry.

For those affected, you can discuss this ransomware and receive support in the dedicated WanaCrypt0r & Wana Decrypt0r Help & Support Topic. Bleeping Computer also published a technical analysis of the Wana Decrypt0r ransomware.