WannaCry — New Variants Detected!

One new wave stopped today but the worse is yet to come

Read More: Part 1 — Part 2 — Part 3 — Part 4 @msuiche (Twitter)

UPDATE: Latest development (15May): Attribution and links to Lazarus Group

UPDATE2: — Decrypting files

As a follow-up article on WannaCry, I will give a short brief about the new variants found in the wild, not for experimentation but on infected machines today.

In short, one is a false positive some researchers uploaded to virustotal.com and the other is legit but we stopped it when I registered the new kill-switch domain name.

Update: At the time the below twitt was posted, the above stopped ~10K machines from 76 different countries to spread the infection from the new variant.

On Friday 12 May 2017, MalwareTechBlog registered the first kill switch (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) that enable to slow down the infection rate of WannaCry ransomware. This is 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.

Protecting the Internet one domain at a time — Second killswitch registered on Sunday 14 by myself.

Today (14 May 2017), 2 new variants appeared. One working which I blocked by registering the new domain name, and the second which is only partially working because it only spreads and does *not* encrypt files due to a corrupted archive.

  • Legit. A new variant had been caught by @benkow_ in the wild and sent to me for analysis. I reversed it and found a new kill-switch (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com) which I immediately registered to stop the new wave of global attacks. Then, I synchronized with @MalwareTechBlog and @2sec4u to map the new domain to sinkhole name servers to feed the live interactive infection map. This is 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.
  • False positive. A new variant with no kill-switch recovered by Kaspersky as a virustotal.com upload — not detected in the Wild. Although, this build does only work *partially* as the ransomware archive is corrupted — the spreading still works though. This is 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.

New variants

All the variants in the wild are the following:

Name          : 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
LastWriteTime : 5/14/2017 5:56:00 PM
MD5 : D724D8CC6420F06E8A48752F0DA11C66
SHA2 : 07C44729E2C570B37DB695323249474831F5861D45318BF49CCF5D2F5C8EA1CD
Length : 3723264
Name          : 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
LastWriteTime : 5/13/2017 7:26:44 AM
MD5 : DB349B97C37D22F5EA1D1841E3C89EB4
SHA2 : 24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C
Length : 3723264
Name          : 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf
LastWriteTime : 5/14/2017 4:11:45 PM
MD5 : D5DCD28612F4D6FFCA0CFEAEFD606BCF
SHA2 : 32F24601153BE0885F11D62E0A8A2F0280A2034FC981D8184180C5D3B1B9E8CF
Length : 3723264

New variant with kill switch

32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf

As seen below, this is the new kill switch address (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com) found in the 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf sample, shared by @benkow_ with me via his honeypot VM. It took me less than a minute once I had the new sample to reverse it and extract the new address to register it.

The variants 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c & 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cfboth drop the same files and archives.

Kaspersky told me they also detected the above variant, MD5:d5dcd28612f4d6ffca0cfeaefd606bcf was first seen by one of their users in Russia 01:53:26 GMT (2017–05–14 01:53:26.0)

Name          : stage2-1-24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
LastWriteTime : 5/12/2017 10:06:10 PM
MD5 : 84C82835A5D21BBCF75A61706D8AB549
SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
Length : 3514368
Name          : stage2-2-32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf
LastWriteTime : 5/14/2017 4:42:09 PM
MD5 : 84C82835A5D21BBCF75A61706D8AB549
SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
Length : 3514368

New variant with no kill-switch (shared by Kasperky)

Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab, shared the 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd sample with me for a second opinion.

As said in the introduction, Although, this build does only work *partially* as the ransomware archive is corrupted but the spreading part using ETERNALBLUE and DOUBLEPULSAR still works. Archive only is partially uncompressed. Although the password in the code is the same.

The above variant, MD5:d724d8cc6420f06e8a48752f0da11c66, has not been seen by any of Kaspersky’s users. (nobody got hit with it yet). It was first scanned on VT at: 2017–05–14 13:05:36.

This sample had been discovered after the initial variant I received today. See below my analysis.

07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd

I concluded this sample with no killswitch had been patched and not compiled for two reasons:

  • The padding space is still exactly 0x48 bytes between the expected string pointer and the _RTL_CRITICAL_SECTION CriticalSection structure.
  • The basic block flow had been altered as we can see in the above screenshot. It still contains the regular code which was supposed to be executed in case of domain name accessibility.

This variant drops different files. I’m still analyzing what is different between the two versions.

Name          : stage2-1-24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
LastWriteTime : 5/12/2017 10:06:10 PM
MD5 : 84C82835A5D21BBCF75A61706D8AB549
SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
Length : 3514368
Name          : stage2-2-32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf
LastWriteTime : 5/14/2017 4:42:09 PM
MD5 : 84C82835A5D21BBCF75A61706D8AB549
SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
Length : 3514368
Name          : stage2-3-07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd-nokillswitch
LastWriteTime : 5/14/2017 7:06:02 PM
MD5 : 7F7CCAA16FB15EB1C7399D422F8363E8
SHA2 : 2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD
Length : 3514368

Conclusion

As reported I reported to the New York Times on Friday, new variants were to be expected.

The fact the no kill-switch variant is only partially working is most likely a temporary mistake from the attackers. Remember, even though the ransomware decompression is not working — the spreading through ETERNALBLUE & DOUBLEPULSAR is still working.

The fact I registered the new kill-switch today to block the new waves of attacks (sinkhole.tech reported to me they are receiving hits) is only a temporarily relief which does not resolve the real issue which is that many companies and critical infrastructures are still dependent on legacy and out of support Operating Systems.