This article is more than 1 year old
Ransomware scum have already unleashed kill-switch-free WannaCrypt variant
Researchers warn over new Uiwix strain
Miscreants have launched a ransomware worm variant that abuses the same vulnerability as the infamous WannaCrypt malware.
Danish firm Heimdal Security warned on Sunday that the new Uiwix strain doesn't include a kill-switch domain, like the one that proved instrumental in minimising the harm caused by WannaCrypt last week, although this is subject to some dispute.
"As far as I know there's only been two variants (one this morn) and none without [a kill]switch," security researcher Dave Kennedy told El Reg. Other researchers, including Kevin Beaumont, are also telling us they haven't yet seen a variant of WannaCrypt without a kill switch.
What isn't in question is that follow-up attacks based on something similar to WannaCrypt are likely and that systems therefore really need protecting. Black hats might well create a worm that attacks the same Windows vulnerability more stealthily to install a backdoor on the many vulnerable systems still out there, for example.
The WannaCrypt ransomware spread to devastating effect last week using worm -like capabilities that relied on a recently patched vulnerability in Microsoft's SMB file-sharing services (MS17-010). WannaCrypt used a purloined EternalBlue exploit originally developed by the US National Security Agency before it was leaked by the Shadow Brokers last month.
WannaCrypt's victims included the National Health Service, Spain's Telefónica and numerous other organisations across the world. A techie at Telefónica *initially* claimed the initial infection vector was a phishing email but this claim has since been retracted. The scale of the attack prompted Microsoft to take the highly unusual step of releasing patches for unsupported operating systems, including Windows XP. ®