Patch old PCs now: New WannaCry ransomware variants found (UPDATED)
New ransomware variants of the WannaCry virus that devastated industries on a global level beginning Friday have been spotted in the wild in infected computers, according to Cybersecurity firm Comae Technologies Founder Matt Suiche.
MalwareTechBlog initiated a kill switch on Friday for the first variant that locked down 20 percent of the U.K. National Health Service, but it doesn’t help computers already infected by the virus.
Further, Suiche stopped another variant when he registered the new kill-switch domain name, but said industries must expect that there is still more to come. Suiche is working with MalwareTechBlog and Security Firm Kryptos Logic to map the domain and sinkhole servers.
[Also: Researcher finds 'kill switch', slows down global ransomware attack]
It’s these group efforts will help curb the spread of the virus.
“Ransomware is just a large puzzle,” said Fabian Woser, chief technology officer for Emsisoft, an anti-malware vendor. “The more intelligent people are working on these puzzles, they more likely they can find a solution for its victims.”
Security companies and law enforcement scour ransomware to find mistakes, which “allows them to crack the code,” Woser said. “This works for small actors looking for a quick buck, but not for major ransomware strains, created by smarter entities, who take the time to create flawless programs.”
[Also: Microsoft issues WannaCry security patch for XP, blasts US for 'stockpiling vulnerabilities']
“Not only that, the most successful hackers continually evolve the ransomware program and their methods, which makes them so secure,” he said. Locky and Cryptolocker -- two of the most successful strains of 2016 -- are two that are seemingly impossible to decrypt.
And WannaCry seems to be on par with these two successful variants.
The newest strains install the same files and archives as the initial attack, encrypting anything the virus can reach on a computer like hard drives and external storage devices. It then performs a scan to find and move to new systems not protected against the malware.
"WannaCry is widely touted as the world's first ransomworm: i.e. a type of ransomware with the ability to self-propogate without user intervention or interaction," Director of Privacy and Security for HIMSS North America Lee Kim said in a blog post. "The success of the WannaCry ransomware is based upon one tried and true fact: Many individuals and organizations don't patch their systems in a timely manner."
[Also: 75% of health orgs live below cybersecurity poverty line]
Security firm Recorded Future first saw the WannaCry virus in the wild on March 31, but the new version responsible for the global chaos over the weekend has been modified with ‘worm-like’ capabilities that allow the virus to spread through any networked system not patched via NetBIOS.
The ransomware also generates random IP addresses not limited to local networks, which means WannaCry may also be able to spread online if websites allow NetBIOS packets from outside networks, according to McAfee researchers.
The security flaw is thought to be one of the zero-day vulnerabilies released as part of the WikiLeaks NSA cache.
[Also: The biggest healthcare breaches of 2017 (so far)]
No federal agencies have been affected, Homeland Security Adviser Tom Bossert said during a White House press conference. Right now there are three definitive variants. And as the worm is already in the wild, patching systems should be the most important focus right now.
"The bottom line for the consumer is to patch your system, make sure automatic updates are turned on and make sure your IT team is patching your system," Bossert said. "Analysis and investigation will reveal why some industries were hit harder than others."
As for who's to blame, Bossert explained that attribution is hard right now. But the "best and brightest are working toward finding out who did this."
Learn more about keeping your data safe. Webinar: Preventing and Dealing with Ransomware Attacks June 15, 2017. Register here.
Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com