Broken WannaCry variants continuing to spread

Security researchers found unexpectedly high detection rates for thousands of WannaCry variants.

WannaCry, a wormable type of ransomware, spread across the globe in 2017 but was abruptly halted when a kill switch URL was discovered by Marcus Hutchins and Jamie Hankins, U.K-based researchers working for Kryptos Logic, a cybersecurity firm based in Los Angeles. Hutchins and Hankins registered the URL and that acted as a kill switch which stopped the ransomware from encrypting data, but Sophos researchers have found that alterations in that URL have allowed WannaCry to continue to spread.

According to a report written by Sophos researchers, including Peter Mackenzie, global malware escalations manager at Sophos, the company logged over 5.1 million detections of WannaCry between Oct. 1, 2018 and Dec. 31, 2018. In these detections, Sophos identified more than 12,000 unique WannaCry variants. Of these WannaCry variants, 10 accounted for 66.7% of detections, and 476 of the files made up 98.8% of detections.

Mackenzie and Andrew Brandt, principal researcher at Sophos, told SearchSecurity the majority of unique WannaCry variants were likely caused by slight differences in how the archive was corrupted. Brandt added another guess as to why there are "so many broken copies floating around."

"One working hypothesis is that errors in replication as a result of incomplete transmission of the malware from an infected to an uninfected-but-vulnerable machine may be the root cause of this, but we haven't observed it in action," Brandt said. "Remember, it only takes a single byte to be different for a file's hash to be unique."

The researchers analyzed nearly 3,000 of the WannaCry variants and discovered alterations that caused the malware to skip the kill switch check, which meant the ransomware could continue to spread but the encryption element would still be broken.

"Without the kill switch they spread more effectively, and with no encryption they stay hidden on a network, drawing little attention from users or admins," researchers wrote in the report. "Infected computers benefit, slightly, from a feature of the malware that seeks to avoid duplication of effort: if a computer targeted for infection by a 'potent' version of WannaCry has already been infected with a corrupted version of WannaCry, the dangerous version ignores the infected computer, and moves on to the next victim."

However, researchers stressed that this should not be taken as an endorsement of using broken WannaCry variants as a sort of "vaccine" against new infections.

"To get infected in the first place, even with an (essentially) inert variant, means the computer is not patched against the EternalBlue exploit," researchers wrote. "If you haven't patched against that exploit, then it is highly likely you haven't patched at all in the last two or more years, and this could leave you at risk of a huge number of threats, many far worse than WannaCry."