Screenshots shared online purportedly from NHS staff, show a program demanding $300 (£230) in Bitcoin
Screenshots shared online purportedly from NHS staff, show a program demanding $300 (£230) in Bitcoin

NHS cyber attack: New dangerous version of WannaCry ransomware set to be released by hackers

‘Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You're only safe if you patch ASAP,' says accidental hero, 22, who shut down major attack

Ian Johnston@montaukian
Sunday 14 May 2017 15:28
comments

A second version of the devastating WannaCry ransomware – that does not contain the “kill switch” used by a 22-year-old security analyst to shut down many attacks – is set to be released by the hackers, putting more computers at risk.

Costin Raiu, of web security firm Kaspersky Lab, told Hacker News that they had already seen versions of the malware that did not contain the website domain name used to shut down the program, but he later backtracked saying “my bad” and this was not actually the case.

However, experts warned it was likely only a matter of time before this did happen and urged people to instal a security patch released specially by Microsoft.

Hidden in the code was an unregistered web address, which the virus would always try to contact when first infecting a computer. If it received a reply, it would shut down, but if not it would carry out the attack.

A 22-year-old security analyst known as MalwareTech, who wishes to remain anonymous, registered the website, unknowingly activating the shutdown process.

However, he warned that it would be easy for the hackers to change the coding in a “worm” used to infect computers with WannaCry to remove the domain name.

MalwareTech also told Hacker News that they had only stopped one version of WannaCry, which is known by various versions of the name.

“WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant,” he said, referring to the program that affected nearly a fifth of NHS Trusts in England and scores of businesses and government departments around the world.

And in a message on Twitter, he wrote: “Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You’re only safe if you patch ASAP.”

He also retweeted a message saying people who were unable to patch their computer could disable Server Message Block version 1 (SMBv1), linking to Microsoft’s instructions about how to do this.

Mr Raiu wrote on Twitter that his initial belief that the kill switch had been removed from WannaCry had been mistaken.

“My bad – finished analysing all #Wannacry worm mods we have and they all have the kill switch inside. No version without a kill-switch yet,” he said.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments