Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security Windows Government Microsoft

Researchers Find New Version Of WanaDecrypt0r Ransomware Without A Kill Switch ( 98

Remember that "kill switch" which shut down the WannCry ransomware? An anonymous reader quotes Motherboard: Over Friday and Saturday, samples of the malware emerged without that debilitating feature, meaning that attackers may be able to resume spreading ransomware even though a security researcher cut off the original wave. "I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday... Another researcher confirmed they have seen samples of the malware without the killswitch.
This discussion has been archived. No new comments can be posted.

Researchers Find New Version Of WanaDecrypt0r Ransomware Without A Kill Switch

Comments Filter:
  • by toonces33 ( 841696 ) on Saturday May 13, 2017 @07:02PM (#54412051)

    The person who found the previous "kill switch" believes that it was actually an anti-sandboxing feature, not a kill switch.

    • can i have a link to where you saw this please?

      • by toonces33 ( 841696 ) on Saturday May 13, 2017 @07:08PM (#54412077) []

        The reason which was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.

        In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

        I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registartion of it caused all infections globally to believe they were inside a sandbox and exitthus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.

        • Pretty freakin' neato

        • by Xenna ( 37238 )

          OK, note to self: Use a random URL in the next version.

          • Even if you use a randomizing URL it can be caught, and algorithm figured out to register the next years worth of domains. it was very bad implantation of a sandbox check.

        • Thank you! Awesome read. Anybody who hasnt should.

  • Lets hope that this person is doing this for awareness. and hopefully he makes his point. or else sorry you put a critical on the internet without knowledge of how the internet works.

  • Is really going to hurt then.. I doubt the world has had time to patch everything...

    • Maybe some are patched. Some are taken offline or air-gapped until patched. Some might have SMB turned off or blocked by the firewall. IT departments will be specifically watching for TOR connections, and might actually try blocking them. Yeah, there will be some new infections. But the first wave gave people a wake-up-call that this one was serious.
    • The object lesson here is: Don't rely on patches. Instead, have a strong backup strategy.

      This attack *WILL* really hurt, but it will be good in the long run because it will teach people to back up data.
  • God damnit (Score:5, Funny)

    by JustAnotherOldGuy ( 4145623 ) on Saturday May 13, 2017 @07:08PM (#54412081)

    I've tried everything to get this to run on my Linux Mint box (including installing WINE) and it just won't do anything.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      I've tried everything to get this to run on my Linux Mint box (including installing WINE) and it just won't do anything.

      Surely you are familiar with stuff not working on a Linux box ?

      It's part of the hobby to experience such things, n'est ce pas ?

    • Clearly you need a VM to experience the full goodness of Microsoft's SMB implementation..

    • Same here but it doesn't work on Win10 either.

    • by Anonymous Coward on Saturday May 13, 2017 @09:26PM (#54412371)

      You need to make sure you have the *correct* version of gettext, libiconv, openssl, gnu-crypto, and gnucash (not the one your distro ships with of course) and you need the correct version of GCC (4.9.4 it will refuse to compile if you use 4.9.3 or 4.9.5). Also if you are on Mint you will need to patch the ransomware.h header file but not Debian. If using CentOS you need to make sure you load the x86 compatibility libraries or it won't work. Make sure to pass the correct flags to ./configure

      This is all obvious to everyone who read the manual so stop wasting our time.

    • by DeBaas ( 470886 )

      If you send me two bitcoins within 6 hours I will provide an installer. If you wait longer the price will go up!

    • If more than 5 people ran something important on a Linux Mint desktop that is worth holding for ransom then we would consider a port. Until then your target market is just too small and you will need to run a compatible copy of Microsoft Windows to use our software.

      Dev Team.

      • If more than 5 people ran something important on a Linux Mint desktop that is worth holding for ransom then we would consider a port. Until then your target market is just too small and you will need to run a compatible copy of Microsoft Windows to use our software.

        Thank you! I installed Windows 10 and was able to get it to encrypt my files properly on the first try.

        By the way, what does "Error connecting to NSA Data Collection Server" mean? I get that notification whenever my internet goes down.

        • Error connecting to NSA Data Collection Server

          The error you are experiencing means that the automated email and password database backup systems aren't working as intended. If you intend to work without an internet connection for long periods of time it may be worth while to print hard copies of everything important and mail it directly to the NSA for archiving.

  • by Anonymous Coward

    1) Get ransomware
    2) Read warning about losing data
    3) Chuckle with a smirk on your face
    4) Revert to this morning's snapshot
    5) Carry on

    • by HiThere ( 15173 )

      This is assuming that it's a rapidly acting ransomware. Some have acted more slowly, and you could lose a week's worth of data, or a month's worth. And...unnh... how long do you keep your backups before recycling?

  • I am diabling SMB v1 (Score:4, Informative)

    by williamyf ( 227051 ) on Saturday May 13, 2017 @07:38PM (#54412139)

    Even though my main machine is mac, and my bootcamp and windows secondary machine are on Win10 and Fully patched, and my synology NAS has SMB v1 disabled, I may as well disable SMBv1 across the whole fleet.

    God have mercy on all morons who are still running unpatched machines...

    • God have mercy on all morons who are still running unpatched machines...

      Because I certainly won't. Either this will be a good object lesson, or they'll get what they deserve for not learning from experience.
    • by Atryn ( 528846 )

      God have mercy on all morons who are still running unpatched machines...

      I wonder if you could draw a parallel to the anti-vax movement. There is a sort of herd immunity if all machines are patched as malware has a harder time replicating and spreading with less compromised machines to do so. But there are people who persistently refuse to patch because of some perception that the patch itself or the patching process is more troublesome than the likelihood they will be part of an infection.

      • To be fair, that perception is rather well founded in the windows world. I tried going down that road myself back in WGA introduction time frame, but gave up soon enough.

  • by Anonymous Coward on Saturday May 13, 2017 @07:53PM (#54412165)

    I've seen security-aware people being widely ignored by technically illiterate managers and decision makers for decades. Sometimes they aren't given the tools they ask for, or their advice is ignored, or sometimes they are both ignored and still blamed when things go wrong. That's not even getting into all the ordinary folks buying low-security or pre-backdoored IoT devices, and the intrusion of the internet into everyday things like cars and televisions.

    Sometimes I think something really nasty has to happen before people will wake up. But then when I think about it some more, I don't believe that would help either. The wrong message would be taken. Instead of adopting good security practices, it would instead be a series of laws that managed to be both misguided, harmful, and utterly useless for solving the real problem. It would be "magical thinking" instead of really paying attention to digital security.

    Then I go have a couple beers, because fuck it.

  • It's All About ROI (Score:5, Insightful)

    by Frosty Piss ( 770223 ) * on Saturday May 13, 2017 @08:06PM (#54412195)

    It's not like most IT departments don't know these vulnerabilities exist, and there are many common reasons, some common ones being:

    A) Code written under a very tight schedule, where getting working code operational is the number one target, and the team expects to tighten up the security later but never does.

    B) Legacy code written before this type of security was much of a concern.

    The main problem with preventing this kind of thing is the Bean Counters. Generally, they will do a calculus of the possibility that they specifically will be hack, and what it will cost to tighten up the code to prevent the hack. In other words, they gamble that they will not be hacked, thus saving them the money it will cost to have their inside team or a contractor fix things. It's all about their bonus.

    Of course the Bean Counters will not admit this, but it's important to understand that the people who sign off on allocating the funds to accomplish tightening up security simply have no understanding about the actual threat verses cost, nor do they really care because it's all about ROI.

    • You might add that it's very rare that any software company cares about security from corporate perspective. You can tell that they care when they give you extra time in a sprint to make sure things are secure.
    • by Tom ( 822 )

      The main issue with the bean counters is that they (often intentionally) underestimate the probability of a flaw being exploited.

      If exploiting the flaw will give the attacker some kind of financial or otherwise interesting profit, even indirectly (like exploiting a OS flaw to deploy ransomware) then given a sufficient timeframe, the probability that the flaw will be found and exploited is close to 100%.

      I know this is a bit of "hire me" since I'm an IS Architect, but IT is going to become a lot more expensiv

    • by StormReaver ( 59959 ) on Sunday May 14, 2017 @07:22AM (#54413353)

      Neither (A) nor (B) apply in this case, but rather:

      C) Organizations insist on using an operating system that has been known for decades to have more severe security holes than Swiss cheese, but which the (only!) vendor refuses to fix until its too late (if even then).

  • It's almost as if someone saw this coming. []

  • by divec ( 48748 ) on Saturday May 13, 2017 @10:27PM (#54412535) Homepage

    What does it say about the NSA, if lone security researcher finds and activates a kill switch before they do?

    So they can snoop on and store an entire nation's web traffic and email, but they can't analyse a small piece of malware, notice it queries some domain name, and then discover (in a test environment) that the existence of the domain stops the malware from propagating? And then activate the domain to give the world a few hours respite?

    Sure, now there's a new version without a kill switch, but the brief respite will have given millions of people the opportunity to secure their machines. It seems a pretty pathetic state of affairs when the NSA pours vast sums of money into nefarious snooping, yet can't keep pace with a single security researcher when it comes to *actually* helping keeping the nation secure.

    Same goes for other countries' intelligence agencies, e.g. GCHQ.

    • by Anonymous Coward

      What? you want them to violate the DMCA to reverse engineer the code.

    • The kill switch is in the malware, not in the underlying Windows code. It's probably not exploitable for intelligence activity. Why would the NSA/CIA/FBI/whatever care about it as long as it doesn't infect their computers? (Which they probably back up regularly and, one suspects, probably don't run on Windows)

  • Hashes or GTFO. This is as fake news as fake can get.

The moon is a planet just like the Earth, only it is even deader.