• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • What about WannaCry 2.0? Improvements of the ransomware code would have unpredictable consequences

What about WannaCry 2.0? Improvements of the ransomware code would have unpredictable consequences

Pierluigi Paganini May 14, 2017

WannaCry made the headlines with the massive Ransomware attack that hit systems worldwide, what about an improved version?

WannaCry made the headlines with the massive Ransomware attack that hit systems worldwide.

The malware targeted organizations across 99 countries worldwide, it leverages a Windows SMB exploit to compromise unpatched OS or computers running unsupported versions of Windows OS.

WannaCry ransomware 3.jpg

The WannaCry exploits the NSA EternalBlue / DoublePulsar exploits to infect other connected Windows systems on the same network, the malware implements network warm capabilities that allow it to rapidly spread.

“The special criticality of this campaign is caused by exploiting the vulnerability described in bulletin MS17-010 using EternalBlue / DoublePulsar, which can infect other connected Windows systems on the same network that are not properly updated. Infection of a single computer can end up compromising the entire corporate network.” states the security alert issued by the CERT.

“The ransomware, a variant of WannaCry, infects the machine by encrypting all its files and, using the vulnerability mentioned in the previous paragraph that allows the execution of remote commands through Samba (SMB) and is distributed to other Windows machines in That same network.”

The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploit that could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

While investigating the threat security researcher MalwareTech discovered the presence of a “Kill Switch” in the source code of the malware that once triggered will stop its diffusion.

https://twitter.com/MalwareTechBlog/status/863187104716685312

The expert discovered that the malware check for the presence of a specific domain to start the infection process, then MalwareTech registered the domain sinkholing the malicious code.

At this point, something changed because the attacker took its countermeasure to disable the Kill Switch.

The security researcher and malware analyst, Luciano Martins is warning of the presence of a new variant of the dreaded ransomware that has no Kill-Switch in its code.

it was too early in the research to call #WannaCry 2.0 killswitch remove

— Luciano Martins (@clucianomartins) May 13, 2017

Martins explains that is too early to speak about a WannaCry 2.0 version, anyway the experts believe that threat actors in the wild could improve the threat.

If a variant without Kill Switch will be used in a new campaign it is quite simple to speculate a situation difficult to contain due to the huge number of unpatched systems.

“The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it’ll continue to spread. We will see a number of variants of this attack over the coming weeks and months so it’s important to patch hosts.” Matthew Hickey, a security expert and co-founder of Hacker House told The Hacker News.

Hundreds of thousands of unpatched systems are still exposed on the Internet and vulnerable to the WannaCry ransomware attack. This last attack leveraged exclusively on SMB exploit but a possible future attack scenario sees the threat spreading via phishing or drive-by-download attacks.

“The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success.” Hickey added.

Below an interesting demo of WannaCry Ransomware Infection shared by Matthew, the videos were first published by the friends at The Hacker News, but I believe it is essential to share them too.

In order to mitigate the threat, users have to Install Security Patches and Disable SMBv1 as suggested the experts.

https://twitter.com/MalwareTechBlog/status/863191272969973760

Microsoft took an unusual step to protect its customers, the company released patches for Windows Server 2003 (SP2 x64 / x86); Windows XP (SP2 x64, SP3 x86); Windows XP Embedded (SP3, x86); as well as the 32-bit and 64-bit versions of Windows 8.

The Spanish CERT has released a script for temporarily (until reboot) mitigating the #WannaCry infection.

Spanish CERT has released a script for temporarily (until reboot) mitigating the #WannaCry infection https://t.co/03EaRz8Ltt

— Mario Procopio (@The_Proc) May 14, 2017

UPDATE

A new variant with a new Kill Switch has been detected.

https://twitter.com/msuiche/status/863743165496426496

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – WannaCry ransomware, cybercrime)

[adrotate banner=”13″]


facebook linkedin twitter

you might also like

Pierluigi Paganini July 11, 2025
U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 10, 2025
UK NCA arrested four people over M&S, Co-op cyberattacks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

    Uncategorized / July 11, 2025

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT