With the successful launch of the WannaCry Ransomware last Friday, ransomware developers are being quick to release their own imitations. Currently there are 5 different WannaCry knockoffs in various forms of development. Of particular interesting is what appears to be a WannaCry Ransomware generator that allows you to customize the appearance and text of the lock screen.
Let's take a look at what each of these imitations have to offer. You can click on any of the images below to see a full size image.
Of the four WannaCry imitators, DarkoderCrypt0r is the farthest along in development as it actually encrypts files on a computer. As you can see below, the developers copied the WannaCry lock screen and adapted it a bit with their own title, bitcoin addresses, etc. Currently this in-development ransomware as it is only encrypting files on the victim's Desktop. When encrypting files it will append the .DARKCRY extension to the encrypted file's name. The executable will also be named @DaKryEncryptor@.exe.
Aran wanaCrypt0r 2.0 Generator v1.0 is an interesting sample as it is being developed to be a customizable WannaCry Ransomware generator. This program allows you to create a customized WannaCry lock screen where a developer can customize the text, images, and colors of the lock screen.
The generator will most likely then use these customizations to create a customized WanaCrypt0r ransomware executable that can then be distributed by a wannabe ransomware developer in order to generate ransoms. At this time, the generator only allows you to customize the lock screen and then display the customized screen. It does not generate a customized ransomware executable.
Wanna Crypt v2.5 is in the very beginning stages of development as it only displays the lock screen shown below when launched.
Like Wanna Crypt v2.5, WannaCrypt 4.0 is in the beginning stages of development and does not encrypt anything at this time. An interesting aspect of this sample is that the default language for the lock screen is Thai. As the original WannaCry does not support Thai, my guess is that the developer of this imitation is from Thailand.
Another in-development ransomware that uses the WannaCry screen. Being distributed as MS17-010.exe.