kaptn - Fotolia

WannaCry variants accidentally protecting against WannaCry

New variants of the infamous WannaCry malware continue to emerge, and many of them have accidentally turned themselves into a somewhat effective, although ill-advised, vaccine against infection

More than two years after the first global WannaCry outbreak took down a number of NHS trusts in what was later described as a borderline national emergency, detections of the ransomware remain in the millions.

Some 4.3 million infection attempts blocked and almost 7,000 unique variants (80% new) were observed in August 2019 alone, according to a Sophos whitepaper.

In a newly released report from its SophosLabs researchers, the firm said the continued existence of WannaCry in the wild was primarily due to the ability of the new variants to bypass the famous kill switch discovered by malware writer turned threat researchers Marcus Hutchins and Jamie Hankins, which stopped the initial outbreak in May 2017.

The kill switch is a line of code that, during a WannaCry attack, checks to find out if a specific web domain is live. If it is found to be so, the attack is stopped dead in its tracks. It is this domain that was registered by Hutchins and Hankins, effectively ending the attack at the time. It remains online to this day.

More than 2,700 samples analysed by Sophos have now evolved to bypass the kill switch, but all of these also have a corrupted ransomware component and are therefore effectively inert and unable to encrypt user data.

Furthermore, said Sophos security specialist and lead author of the report, Peter Mackenzie, due to the way WannaCry infects new victims – by checking to see if an endpoint is infected and moving on if so – infection by one of these inert strains acts as a remarkably effective, albeit highly inadvisable, vaccine against the original version.

“In this case, some victims have been lucky because variants of the malware immunised them against newer versions. But no organisation should rely on this,” said Mackenzie.

“Instead, standard practice should be a policy of installing patches whenever they are issued, and a robust security solution in place that covers all endpoints, networks and systems.”

“Some victims have been lucky because variants of the malware immunised them against newer versions. But no organisation should rely on this”
Peter Mackenzie, Sophos

Standard cyber security best practice remains the most effective preventative measure against WannaCry. With that in mind, the report also restated the importance of keeping an inventory of all endpoints on the corporate network and keeping them up to date and patched in good time.

It is also a good idea to verify if endpoints are patched against the EternalBlue Windows exploit which WannaCry uses, and to regularly back up data on offline storage devices.

Nevertheless, despite the abiding mystery as to why WannaCry’s creators built in a kill switch at all, the number of attempted infections suggests that the need for the kill switch remains very real thanks to the large number of endpoints that remain unpatched and are infected with the original version of WannaCry.

It is therefore possible, indeed likely, said Sophos, that keeping the kill switch URL online is actually the only thing preventing a second worldwide outbreak.

“The WannaCry outbreak of 2017 changed the threat landscape forever,” said Mackenzie. “Our research highlights how many unpatched computers are still out there. If you haven’t installed updates that were released more than two years ago, how many other patches have you missed?”

Mackenzie also noted that by examining public bitcoin transactions it was possible to establish that some people are still paying the ransom. He pointed out that victims should under no circumstances do this.

“Doing so will result in you losing your money and getting nothing in return. The attackers do not monitor these payments, nor provide a decryption tool. Restoring from backups is your only hope at recovery,” he wrote.

Read more about ransomware

  • Governments and healthcare institutions are prime targets of ransomware operators, a report shows.
  • A week after reportedly being hit by a ransomware attack, Belgium-based mechanical equipment manufacturer Asco has finally provided some details.
  • Backups can return your enterprises to a known good state. So it's essential to secure them by aligning your backup and security strategies for better protection and recovery.

Read more on Hackers and cybercrime prevention

Data Center
Data Management