Round Two: WannaCry Ransomware That Struck the Globe Is Back

Ransomware that emerged from a dump of alleged NSA exploits has quickly learned from its mistakes.
May 14, 2017, 1:37pm

On Friday, a variation of the WannaCry ransomware ripped across the globe, infecting UK hospitals, a Spanish telecom company, and companies in various other sectors. After several hours, the attack was suddenly blocked from spreading much further when a security researcher registered a domain which ordered the malware to stop infecting new machines.

But, as many expected, that was only a temporary fix. Over Friday and Saturday, samples of the malware emerged without that debilitating feature, meaning that attackers may be able to resume spreading ransomware even though a security researcher cut off the original wave.

"I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday.

On Friday, the researcher known as MalwareTech dug through the WannaCry variant used in the recent global attack and found an unregistered domain nestled in its code; a URL that the hackers seemingly used for testing purposes, or purposefully put in so they could remotely disable their malware. As it turned out, the malware was made in such a way that before every infection it would try to call out to this domain. If there wasn't a response, it would go ahead and lock down the victim machine with ransomware. But if the domain was up and running, as it was after MalwareTech registered it, the malware would stop in its tracks.

Read full story on Motherboard.