Companies, governments brace for a second round of cyberattacks in WannaCry’s wake

As the world readies to open for business on Monday, companies and governments are bracing for a second round of cyberattacks in the aftermath of Friday’s WannaCry hack.

Indeed, security experts are already warning that a new version of WannaCry has emerged over the weekend that doesn’t have the kill switch protocol that stopped the initial version of the cyberattack late on Friday.

Earlier today, the U.K.’s National Cyber Security Center issued a new warning about the possibility of another attack.

Since the global coordinated ransomware attack on thousands of private and public sector organisations across dozens of countries on Friday, there have been no sustained new attacks of that kind.  But it is important to understand that the way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks.

This means that as a new working week begins it is likely, in the UK and elsewhere, that further cases of ransomware may come to light, possibly at a significant scale.

By the end of the workday on Friday, when the initial version of the WannaCry hack was detected, hundreds of thousands of computers were affected.

When workers in Asia wake up on Monday morning, security experts expect another wave of computers to be exposed to the ransomware attack.

The New York Times reported that some security industry observers are saying that the second wave of attacks has already begun.

Writing on his blog, Matt Suiche, the founder of Comae Technologies, elaborated on some of the new variants of the ransomware that cybersecurity specialists are finding in the wild.

Today (14 May 2017), 2 new variants appeared. One working which I blocked by registering the new domain name, and the second which is only partially working because it only spreads and does *not* encrypt files due to a corrupted archive.

A new variant had been caught by @benkow_ and sent to me for analysis. I reversed it and found a new kill-switch ( which I immediately registered to stop the new wave of global attacks. Then, I synchronized with @MalwareTechBlog and @2sec4u to map the new domain to sinkhole name servers to feed the live interactive infection map. This is 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.

A new variant with no kill-switch caught by Kaspersky. Although, this build does only work *partially* as the ransomware archive is corrupted — the spreading still works though. This is 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.

And the anonymous cybersecurity researcher who discovered the kill switch on the original malware attack has his own warning for system administrators.

By now, you’re likely aware that the original malware attack originated from leaked code developed by the National Security Administration. The attack worked by exploiting a flaw in Microsoft Windows. Although Microsoft had provided a patch for the software several months ago, not everyone updated their systems, which led to the vulnerabilities that the still-anonymous hackers exploited.

According to this Symantec explainer, the ransomware encrypts data files and asks users to pay a bitcoin ransom of $300, which doubles if payment isn’t made after three days. After a week, the encrypted files will be deleted.


Figure 1 Ransom demand screen displayed by WannaCry Trojan

If you’re curious how Ransomware attacks work, here’s a primer from security firm Carbon Black.

Companies affected by the attacks included the Spanish telecommunications company, Telefonica, Gas Natural and electricity provider Iberdrola. National Health Services hospitals in the UK were also affected by the attack. As was FedEx in the U.S. and Renault in France.

The attacks also hit Germany’s rail system, Russia’s Interior Ministry and universities around China, according to reports in The New York Times. 

“It’s no surprise that over 45,000 targets across the globe were attacked by the WannaCry ransomware,” wrote Mark Kuhr, the co-founder and chief technology officer of the white hat penetration testing and bug bounty hunting startup Synack. “The frequency of these attacks will continue to rise exponentially because ransomware is such a lucrative business for criminal enterprises. A recent IBM survey of 1,000 business professionals found that 60% of victims are willing to pay ransom to get data back safely.”

Part of what makes these attacks so inevitable is the availability of these tools to almost anyone. Would-be hackers don’t even need to be that skilled to deploy these kinds of malware programs.

Thanks to groups like Shadow Brokers, which leaked the National Security Agency’s hacking tools, malware like the kind that seized systems around the globe are available to anyone with an internet connection.