New WannaCry ransomware variants: Patch old PCs now to avoid becoming a victim

Monday is going to suck for some folks—those who run old, unsupported Windows systems that are vulnerable to WannaCry ransomware if they didn’t put in some weekend time applying security updates.

In response to the massive global ransomware attack on Friday, Microsoft took the “highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.” Europol chief Rob Wainwright told the BBC, “Companies need to make sure they have updated their systems and ‘patched where they should’ before staff arrived for work on Monday morning.”

Yes, it’s true that a security researcher going by MalwareTech activated a “kill switch” by registering a domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) that WannaCry checked to make sure was unregistered before starting to encrypt files. Experts suggested the ransomware authors could simply change domains so WannaCry would work again and keep spreading. MalwareTech warned:

Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You’re only safe if you patch ASAP.

— MalwareTech (@MalwareTechBlog) May 14, 2017

Sure enough, a different variant of the ransomware was coded to contact a different domain. Fortunately, security researchers @benkow_ spotted the domain and Matthieu Suiche registered the kill switch Sunday. Suiche added:

I highly suspect there are multiple variants in the wild with multiple kill switches! #WannaCry Good news is: there are still kill switches!

MalwareTech confirmed the “new kill switch” had been transferred to his sinkhole.

On Sunday, Suiche warned, “Until people update and upgrade their operating systems, they are still at threat. The fact I registered the new kill-switch is only a temporarily relief which does not resolve the real issue, which is that people are running out-of-support Operating Systems.”

It is puzzling as to why a new version would still contain a kill switch, since the WannaCry outbreak reportedly infected between Avast’s count of 126,000 machines in 104 countries and Europol’s count of more than 200,000 victims in 150 countries, yet the ransomware author(s) had extorted relatively little money.

As of 11 a.m. ET on Sunday, May 14, the three Bitcoin wallets receiving ransomware payments from the first version of WannaCry had received 8.78 ( ≈ $15,837.8), 6.00 (≈ $10,823.1) and 4.33 (≈ $7,810.67) total Bitcoin payments. In total, the three wallets accumulated 19.11 BTC or ≈ $34,471.57. Demanded ransom amounts started at $300 before being raised to $600.

MalwareTech told the BBC, “There’s a lot of money in this. There’s no reason for them to stop. It’s not really much effort for them to change the code and then start over. So there’s a good chance they are going to do it … maybe not this weekend, but quite likely on Monday morning.”

Europol is reportedly working with the FBI to hunt down those responsible for the Wanna Decryptor. They suspect “more than one person” to be involved in the ransomware attacks.

No kill switch variants of WannaCry ransomware

But don’t go feeling “safe” because there are also WannaCry variants that have no kill switches. Costin Raiu, director of global research and analysis at Kasperksy Lab, told Motherboard on Saturday, “I can confirm we’ve had versions without the kill switch domain connect since yesterday.”

A patched (non-recompiled) variant with *NO* kill-switch is out there too. Patched jump and zeroed the URL. See screenshots below. #WannaCry pic.twitter.com/RliIRigXwH

— Matthieu Suiche (@msuiche) May 14, 2017

You can be mad at the NSA if you want to or the Shadow Brokers, which released the NSA hacking tools, or even the group behind WannaCry for finding a way to leverage the suspected NSA hacking tools in their ransomware code, but don’t expect this to be the last time those exploits will be used. As Proofpoint security researcher Darien Huss told the BBC, “I highly suspect that, with the amount of coverage that this incident is getting, there are probably already people that are working to incorporate the exploit that was used for spreading.”

The best thing you can do if you are running versions of Windows that no longer receive mainstream support is to take advantage of Microsoft’s offer of out-of-bound security fixes and patch now.

Microsoft said, “This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.”

Plenty of people have covered the huge range of victims, such as FedEx, hospitals, telecoms, banks and more. You can check out the live WannaCry (WannaCrypt) map showing infection attempts in real time. I’m warning you that it’s mesmerizing, so don’t go into a trance if you need to be patching.

Let’s hope on Monday that the live map doesn’t resemble the one from Friday.