grandeduc - Fotolia
Security researchers found unexpectedly high detection rates for thousands of WannaCry variants.
WannaCry, a wormable type of ransomware, spread across the globe in 2017 but was abruptly halted when a kill switch URL was discovered by Marcus Hutchins and Jamie Hankins, U.K-based researchers working for Kryptos Logic, a cybersecurity firm based in Los Angeles. Hutchins and Hankins registered the URL and that acted as a kill switch which stopped the ransomware from encrypting data, but Sophos researchers have found that alterations in that URL have allowed WannaCry to continue to spread.
According to a report written by Sophos researchers, including Peter Mackenzie, global malware escalations manager at Sophos, the company logged over 5.1 million detections of WannaCry between Oct. 1, 2018 and Dec. 31, 2018. In these detections, Sophos identified more than 12,000 unique WannaCry variants. Of these WannaCry variants, 10 accounted for 66.7% of detections, and 476 of the files made up 98.8% of detections.
Mackenzie and Andrew Brandt, principal researcher at Sophos, told SearchSecurity the majority of unique WannaCry variants were likely caused by slight differences in how the archive was corrupted. Brandt added another guess as to why there are "so many broken copies floating around."
"One working hypothesis is that errors in replication as a result of incomplete transmission of the malware from an infected to an uninfected-but-vulnerable machine may be the root cause of this, but we haven't observed it in action," Brandt said. "Remember, it only takes a single byte to be different for a file's hash to be unique."
The researchers analyzed nearly 3,000 of the WannaCry variants and discovered alterations that caused the malware to skip the kill switch check, which meant the ransomware could continue to spread but the encryption element would still be broken.
"Without the kill switch they spread more effectively, and with no encryption they stay hidden on a network, drawing little attention from users or admins," researchers wrote in the report. "Infected computers benefit, slightly, from a feature of the malware that seeks to avoid duplication of effort: if a computer targeted for infection by a 'potent' version of WannaCry has already been infected with a corrupted version of WannaCry, the dangerous version ignores the infected computer, and moves on to the next victim."
However, researchers stressed that this should not be taken as an endorsement of using broken WannaCry variants as a sort of "vaccine" against new infections.
"To get infected in the first place, even with an (essentially) inert variant, means the computer is not patched against the EternalBlue exploit," researchers wrote. "If you haven't patched against that exploit, then it is highly likely you haven't patched at all in the last two or more years, and this could leave you at risk of a huge number of threats, many far worse than WannaCry."
The WannaCry mystery
One of those threats that would be worse than the current impotent WannaCry variants would be a version of the ransomware that was made functional again. But experts are unsure why that hasn't happened yet.
Kevin Beaumont noted on Twitter that all of the WannaCry variants seem to have the same flaw that was introduced early in the ransomware's life in 2017, and added that "you could restart WannaCry's impact by fixing it, technically."
Been arguing this for years. After kill switch was activated some vendors tried to create fear by reporting on "new" variants. The new variants were actually just skids hex editing the kill switch, resulting in corruption of the binary (thus disabling the ransomware component). https://t.co/z0e4PFHXAW— MalwareTech (@MalwareTechBlog) September 18, 2019
Mackenzie told SearchSecurity that the risk from the "broken" WannaCry infections is "limited to causing a nuisance and taking up network bandwidth," but Brandt added that there was nothing stopping a threat actor from making WannaCry actively malicious since the kill switch has been bypassed.
"If the original creator of WannaCry wanted to, they could make some modifications to change, for example, the anti-duplication behaviors or the kill switch domain in the malware and re-release it, and these vulnerable machines would be powerless to prevent themselves from being infected, again," Brandt said. "But if the assumption is accurate that the malware originated with a regime hostile to western society as a whole, and to the U.S. in particular, it's possible they're holding back for some reason that isn't outwardly apparent to outsiders."