On Sunday, security researchers have detected a second WannaCry version that featured a different kill switch domain, which they quickly moved to register and sinkhole it, preventing further damage.
The original WannaCry ransomware — also known as WannaCrypt, WCry, Wana Decrypt0r, and WanaCrypt0r — appeared on Friday and spread to vulnerable computers via a modified NSA exploit, making tens of thousands of victims in a few hours.
Under the hood, the WannaCry ransomware features two components, (1) the ransomware itself and (2) an SMB worm that spreads the ransomware to new victims, on the local network first and then over the Internet. The first WannaCry version featured a kill switch domain, which once registered, allowed researchers to stop the WannaCry ransomware from infecting users.
After researchers sinkholed the first kill switch domain, the group behind WannaCry took almost two days to release a new WannaCry version, which was first detected by French security researcher Benkow on Sunday morning.
After confirming Benkow's findings, security researcher Matt Suiche intervened and registered this second domain — located at ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com — and pointed it at the same sinkhole server used for the first, discovered and registered by British security researcher MalwareTech on Friday.
This meant that despite computers getting infected with the second version of the WannaCry ransomware, the encryption process would not start, as long as the sinkhole server was in place, or security firms or sysadmins wouldn't block traffic to those two domains. As with the first version, the bulk of these computers — nearly half — were located in Russia.
The kill switch works because the WannaCry ransomware pings a hardcoded domain (the kill switch) before the encryption process starts. If the domain is not registered, the encryption goes on as planned, but if the domain is registered, the encryption process stops.
MalwareTech, the one who found this mechanism, believes this is an anti-sandboxing protection system because some VM and sandbox environments will reply as registered to all non-registered domains. In this case, the ransomware believes it's being executed in a test environments and refuses to execute.
Nonetheless, it is very strange that after being publicly torn to pieces and analyzed by security researchers over the weekend, the WannaCry authors still chose to use a hardcoded unregistered domain as their kill switch for the second version instead of using a new system altogether.
More details on this second WannaCry version are available on Suiche's blog. The researcher claims that since registering the second domain, the sinkhole server has prevented over 10,000 WannaCry instances from encrypting computers.
In the meantime, Bleeping Computer founder Lawrence Abrams has come across four ransomware families that are imitating the WannaCry interface.
Similarly, Danish security firm Heimdal Security claims to have found another ransomware family — named UIWIX ransomware — that uses SMB exploits to spread but has not provided any hashes for confirmation. Security researchers like Michael Gillespie and Benkow have been aware of this ransomware for days, even prior to WannaCry's appearance, but nobody has managed to get their hands on one of the binaries to confirm their suspicions.
Last but not least, security researchers x0rz and MalwareHunter have noticed companies that appeared out of the blue and are now offering paid services to recover files encrypted by the WannaCry ransomware.
With WannaCry pandemonium running wild, be careful with these types of scams, as researchers haven't been able to find a reliable way to break the encryption and recover files locked by the WannaCry ransomware.
The only way to recover WannaCry files is via the WannaDecrypt utility developed by Benjamin Delpy, but only if the victim had been recording traffic or was able to dump the private RSA key from the computer's memory before it was sent to the WannaCry C&C server. Chances that a victim has this type of information are very very small.