view counter

CybersecurityExperts expect a surge in ransomware attacks this week – this time without a “kill switch”

Published 15 May 2017

A second version of the disruptive WannaCry ransomware – a version which does not contain the “kill switch” used by a young security analyst to shut down many of last week’s cyberattacks – is set to be released by the same group of hackers. There are fears that Monday could see a surge in the number of computers taken over by the devastating WannaCry ransomware hack. Rob Wainwright, head of the European Union police agency, Europol, warned anyone who thought the problem was going away was mistaken. “At the moment, we are in the face of an escalating threat. The numbers are going up, I am worried about how the numbers will continue to grow when people go to work and turn (on) their machines on Monday morning,” he said.

Major ransomware attack expected this week // Source: theconversation.com

A second version of the disruptive WannaCry ransomware – a version which does not contain the “kill switch” used by a young security analyst to shut down many of last week’s cyberattacks – is set to be released by the same group of hackers. Costin Raiu, of cybersecurity firm Kaspersky Lab, told Hacker News that his firm had already seen versions of the malware which did not contain the website domain name used to shut down the program.

He later backtracked, saying this was not actually the case. 

Hacker News quotes other experts who warned it was only a matter of time before this did happen. These experts urged people to install a security patch released Microsoft specifically to deal with WannaCry.

An unregistered web address was hidden in the code, and the virus would always try to contact that address when first infecting a computer. If it received a reply from that address, it would shut down, but if not, it would carry out the attack.

A 22-year-old security analyst who goes by the name MalwareTech registered the website, unknowingly activating the shutdown process.

He warned, however, that it would not be difficult for the hackers to change the coding in a “worm” used to infect computers with WannaCry in order to remove the domain name.

MalwareTech also told Hacker Newsthat they had only stopped one version of WannaCry, which is known by various versions of the name.

“WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant,” he said, referring to the program that affected nearly a fifth of NHS Trusts in England and many businesses and government departments around the world.

In a message on Twitter, he wrote: “Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You’re only safe if you patch ASAP.”

He also retweeted a message saying people who were unable to patch their computer could disable Server Message Block version 1 (SMBv1), linking to Microsoft’s instructions about how to do this. 

There are fears that Monday could see a surge in the number of computers taken over by the devastating WannaCry ransomware hack.

Rob Wainwright, head of the European Union police agency, Europol, warned anyone who thought the problem was going away was mistaken.

At the moment, we are in the face of an escalating threat. The numbers are going up, I am worried about how the numbers will continue to grow when people go to work and turn (on) their machines on Monday morning,” he said.

Christian Karam, a Singapore-based security researcher, underlined this point.

Expect to hear a lot more about this tomorrow [Monday] morning when users are back in their offices and might fall for phishing emails” or other scams, he said.