WannaCry – New Variants Detected

Anyone know someone at the Tor Project? Based on a breakdown I read, it downloads the Tor client from <a href="https:&#x2F;&#x2F;dist.torproject.org&#x2F;torbrowser&#x2F;6.5.1&#x2F;tor-win32-0.2.9.10.zip" rel="nofollow">https:&#x2F;&#x2F;dist.torproject.org&#x2F;torbrowser&#x2F;6.5.1&#x2F;tor-win32-0.2.9...</a><p>It would be simple to rename this link (or perform a referer check or something else to stop automated downloads), at least temporarily.<p>Yes, the malware authors will release an update with the different URL (or another hosting site entirely, or embedded), but at least it would provide time for vulnerable users to install patches. Especially now that Microsoft has released a patch for XP.<p>(I&#x27;m basing this URL info on the breakdown found at <a href="https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;wannacry-wana-decryptor-wanacrypt0r-technical-nose-dive&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;wannacry-wana...</a>)

What&#x27;s special about WannaCry that has made this such a widespread thing? I presume there&#x27;s has been plenty of malware for a while that can propagate itself around a network of unpatched old Windows machines and people have been trying to get users to clicks on emails to infect themselves for years.<p>So why now? What&#x27;s so special now?

I don&#x27;t get it: why are the using using many fake but valid domains? Wouldn&#x27;t a non-existing TLD do exactly the same thing while being impossible to register by anyone trying to stop the malware?

I really am a bit puzzeled by the killswitches. Why does WannaCry have this functionality in the first place? It sounds almost ironically like a hollywood villain mistake.

&gt; A new variant with no kill-switch recovered by Kaspersky as a virustotal.com upload — not detected in the Wild.<p>Uploaded to virustotal MEANS found in the wild. That&#x27;s what admins do when they discover things.

Could a grey hat create a self propagating but non-ransoming variant that inoculated target machines against its more malicious brethren? Seems like something a state actor might want to do.

These systems would be better of security wise if they would use the latest open source operating system including the embedded code. The damage this will cause to embedded systems is distasteful.

How does &#x27;Patient A&#x27; get wcry2? Phishing? Via internet facing open 445&#x2F;3389?

Could the 51% &quot;bug&quot; in bitcoin actually be used to an advantage here? A 51% vote to invalidate all these transactions? I assume it doesn&#x27;t work like that but figured I would ask.

I think it&#x27;s hilarious how these &quot;kill switches&quot; are supposedly meant to detect sandboxes, to make it harder for security researchers to analyze the malware. While actually making it easy for security researchers to completely disable all installations around the entire world.<p>That&#x27;s just what I heard, but it makes sense. There are far more sane ways to implement a kill switch without using unregistered domains. (For instance, using a registered domain.)

Two researchers said they found a variant with a kill switch.<p><a href="https:&#x2F;&#x2F;motherboard.vice.com&#x2F;en_us&#x2F;article&#x2F;round-two-wannacry-ransomware-that-struck-the-globe-is-back" rel="nofollow">https:&#x2F;&#x2F;motherboard.vice.com&#x2F;en_us&#x2F;article&#x2F;round-two-wannacr...</a>

Why would they keep releasing it, and release it in the first place, with such a simple kill-switch. Doesn&#x27;t make much sense.<p>Reminds me of the Archer episode where Cyril plants the computer virus and was going to be the hero by &quot;fixing&quot; it.

I am trying to understand impact of crypto currency. Sorry for my ignorance, and or impertinence. 1. Is it possible to run such large scale ransom demands without cryptocurrency? 2. Do we know if the attacker is using a single BTC wallet, or if ransoms are being collected in a distributed fashion. 3. Is it possible for BTC n&#x2F;w to hijack BTCs going to the ransom wallet(s). That is to say collectively overwrite&#x2F;override the transactions and may be reroute the coins to some non-profit wallet? I know it will be a very bad precedent, but I am trying to understand if it is technically possible.

This makes me think of a different kind of a kill-switch. What if the OS itself is required to have a kill-switch that triggers once it goes out of support, and it prevents regular use unless the admin goes through some serious hoops to override. It at least squarely puts the blame on 1) Orgs that willfully override v&#x2F;s passively ignoring to update 2) OS vendors who have really short support cycles (~1 year for most android phones)

We were warned this would happen but it&#x27;s interesting to me that we have detected new variants that include the same type of naive kill switch. I&#x27;m not well versed in information security, so my question is whether this means attackers tried another wave by simply changing the kill switch domain or were there several variants used for the initial attack?

Are these new variants new compiles?<p>Is it possible that multiple variants with randomly-generated kill-switches are being automatically generated?

Is there analysis on what encryption algorithm was being used? And how the payment confirmation switch works on the malware.<p>Is it possible instead of patching the OS, to release a patch which patches the malware binary to no-op the payment switch?

I would like to know whether the decrypted data can be trusted again in case the contents have been somewhat changed. Then again it is much better than not having any data at all in some cases...

If they attach this to a new exploit, instead of an old one that targets Windows XP, there&#x27;s going to be a real problem.

Just wait until this hits the files of a Russian mob who then take some Americans hostage and fly to China and end up entangled in an islamic terrorist plot. &#x27;Cause then we&#x27;re in for a very long and drawn out story involving MI6, the CIA, Canadian smuggling routes, and Christian Isolationist 2nd Amendment fanatics.

They will get them following the payments soon enough.

Who is doing this knowing fully well that GHCQ , FBI and possibly even the NSA are hard at work trying to get them ?<p>These people are going down . No doubt about it.

Maybe it would be better to wait until the attackers registered the domain, then sopoeana the registrair for their account info.