WannaCry is still the smallpox of infosec. But the latest strain (sort of) immunises its victims

Whatever you do, don't pay the ransom

Analysis WannaCry – the file-scrambling ransomware that infamously locked up Britain's NHS and a bunch of other organisations worldwide in May 2017 – is still a live-ish threat to this day, infosec researchers reckon.

By simply observing the internet for telltale signs of the malware strain – also known as WannaCrypt – Brit security software outfit Sophos spotted newer variants still doing the rounds. Thankfully, though, the bit that encrypts and holds victims' data to ransom itself becomes corrupted so the extortion isn't working as intended.

About a year-and-a-half after the nasty surfaced, Sophos reckoned it picked up more than five million detections (i.e. not individual machines) of the original WannaCry signature.

"As nearly every machine that can install the EternalBlue patch has already done so, why are there still so many detections?" Sophos asked. "All we really know about the infected machines that attempt to spread the infection is that they don't have a working antivirus product (certainly not ours) on them."

Data analysis revealed something surprising: of 12,281 WannaCry-related files the company picked up, just 40 were the original 2017 version, "a number so low that it could easily be attributed to testing" by malware authors and other criminals.

Ten files in the wider sample "accounted for 3.4 million" detections in total. None of these appeared to have been halted by the kill-switch domain discovered by Marcus "MalwareTech" Hutchins, later targeted by US law enforcement agency the FBI during a visit to the Black Hat and DEF CON conferences in the USA for his teenage misdeeds in writing malware.

Alterations in the newer, evolved samples of WannaCry found by Sophos showed that a kill-switch bypass had been incorporated into them. The firm noted that "the changes appear to have been made via the use of a hex editor rather than through recompilation of the original source code. This suggests that these changes were not made by the original creators."

It's like cowpox

There is hope, however. WannaCry consists of two parts: one that spreads the malware to other machines and the payload, which is a zip archive that extracts itself and encrypts everything within reach. In the newer variants, Sophos found, the zip archive was corrupt.

worker in front of wannacry lock screen

When you think how infamous NHS-pwning malware's still hitting the unwary, it'll make you WannaCry – Kaspersky


"Everything now made sense," said the firm. "The large volume of detections were due to the lack of a kill switch, with nobody complaining about encrypted files because almost every sample seen in the wild had a corrupt archive that doesn't encrypt anything."

Handily, the corrupted version of WannaCry acts a bit like cow pox does to smallpox. If a "live" version of WannaCry detects a borked version on the machine it is intending to infect, "the dangerous version ignores the infected computer" and moves on.

(Before you write in, we're aware that this behaviour is not exactly comparable with the immunological mechanisms of a vaccination and that it is only broadly analogous.)

It's not all good news, sadly. Some people and organisations are still trying to pay off the original WannaCry crooks in response to recent infections – even though the original authors have long abandoned their Bitcoin wallets following the global focus on their activities.

"WannaCry includes three hardcoded Bitcoin addresses, to which you must send your $300 worth of Bitcoins if you choose to pay the ransom," said Sophos. The attackers are no longer monitoring incoming payments, said the company.

As ever, don't pay off ransoms. You encourage criminals in general by doing so and make the world that bit less safe. Install updates from trusted vendors, procure up-to-date security software from reputable outlets and don't click suspicious links. ®

Similar topics

Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022