Researchers Find New Version Of WanaDecrypt0r Ransomware Without A Kill Switch

Remember that "kill switch" which shut down the WannCry ransomware? An anonymous reader quotes Motherboard: Over Friday and Saturday, samples of the malware emerged without that debilitating feature, meaning that attackers may be able to resume spreading ransomware even though a security researcher cut off the original wave. "I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday... Another researcher confirmed they have seen samples of the malware without the killswitch.

It was only a matter of time...

[toonces33]

The person who found the previous "kill switch" believes that it was actually an anti-sandboxing feature, not a kill switch.

Re:It was only a matter of time...

[toonces33]

https://www.malwaretech.com/20...

The reason which was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registartion of it caused all infections globally to believe they were inside a sandbox and exitthus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.

God damnit

[JustAnotherOldGuy]

I've tried everything to get this to run on my Linux Mint box (including installing WINE) and it just won't do anything.

sometimes i think worse must precede better...

I've seen security-aware people being widely ignored by technically illiterate managers and decision makers for decades. Sometimes they aren't given the tools they ask for, or their advice is ignored, or sometimes they are both ignored and still blamed when things go wrong. That's not even getting into all the ordinary folks buying low-security or pre-backdoored IoT devices, and the intrusion of the internet into everyday things like cars and televisions.

Sometimes I think something really nasty has to happen before people will wake up. But then when I think about it some more, I don't believe that would help either. The wrong message would be taken. Instead of adopting good security practices, it would instead be a series of laws that managed to be both misguided, harmful, and utterly useless for solving the real problem. It would be "magical thinking" instead of really paying attention to digital security.

Then I go have a couple beers, because fuck it.

Well duh, RTFM

You need to make sure you have the *correct* version of gettext, libiconv, openssl, gnu-crypto, and gnucash (not the one your distro ships with of course) and you need the correct version of GCC (4.9.4 it will refuse to compile if you use 4.9.3 or 4.9.5). Also if you are on Mint you will need to patch the ransomware.h header file but not Debian. If using CentOS you need to make sure you load the x86 compatibility libraries or it won't work. Make sure to pass the correct flags to ./configure

This is all obvious to everyone who read the manual so stop wasting our time.