NHS cyber attack: New dangerous version of WannaCry ransomware set to be released by hackers

‘Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You're only safe if you patch ASAP,' says accidental hero, 22, who shut down major attack

Ian Johnston
Sunday 14 May 2017 15:28
Comments
Screenshots shared online purportedly from NHS staff, show a program demanding $300 (£230) in Bitcoin
Screenshots shared online purportedly from NHS staff, show a program demanding $300 (£230) in Bitcoin

A second version of the devastating WannaCry ransomware – that does not contain the “kill switch” used by a 22-year-old security analyst to shut down many attacks – is set to be released by the hackers, putting more computers at risk.

Costin Raiu, of web security firm Kaspersky Lab, told Hacker News that they had already seen versions of the malware that did not contain the website domain name used to shut down the program, but he later backtracked saying “my bad” and this was not actually the case.

However, experts warned it was likely only a matter of time before this did happen and urged people to instal a security patch released specially by Microsoft.

Hidden in the code was an unregistered web address, which the virus would always try to contact when first infecting a computer. If it received a reply, it would shut down, but if not it would carry out the attack.

A 22-year-old security analyst known as MalwareTech, who wishes to remain anonymous, registered the website, unknowingly activating the shutdown process.

However, he warned that it would be easy for the hackers to change the coding in a “worm” used to infect computers with WannaCry to remove the domain name.

MalwareTech also told Hacker News that they had only stopped one version of WannaCry, which is known by various versions of the name.

“WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant,” he said, referring to the program that affected nearly a fifth of NHS Trusts in England and scores of businesses and government departments around the world.

And in a message on Twitter, he wrote: “Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You’re only safe if you patch ASAP.”

He also retweeted a message saying people who were unable to patch their computer could disable Server Message Block version 1 (SMBv1), linking to Microsoft’s instructions about how to do this.

Mr Raiu wrote on Twitter that his initial belief that the kill switch had been removed from WannaCry had been mistaken.

“My bad – finished analysing all #Wannacry worm mods we have and they all have the kill switch inside. No version without a kill-switch yet,” he said.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in